Safety researchers are sounding the alarm on a newly found vulnerability within the broadly used internet server administration software program cPanel and WebHost Supervisor (WHM).
The bug permits hackers to hijack and take full management of the servers working the affected software program, which is assumed for use by tens of tens of millions of web site homeowners all over the world.
Many industrial webhosting firms have patched their clients’ programs already. However the cPanel maker urged clients to make sure that their programs are patched because the bug impacts all supported versions of the software.
cPanel and WHM are two software program suites used for managing internet servers that host web sites, handle emails, and deal with necessary configurations and databases wanted to take care of an web area. The 2 suites have deep-access to the servers that they handle, permitting a malicious hacker probably unrestricted entry to information managed by the affected software program.
The bug, formally tracked as CVE-2026-41940, permits malicious hackers to remotely bypass its login display screen to realize full entry to the software program’s administration panel.
Given the ubiquity of the cPanel and WHM software program throughout the webhosting business, hackers may compromise probably massive numbers of internet sites that haven’t patched the bug.
Canada’s nationwide cybersecurity company mentioned in an advisory that the bug could possibly be exploited to compromise web sites on shared internet hosting servers, equivalent to massive webhosting firms.
The company mentioned that “exploitation is extremely possible” and that speedy motion from cPanel clients, or their internet hosts, is important to forestall malicious entry.
Webhosting big Namecheap, which makes use of cPanel to permit its clients to handle their internet servers, mentioned the corporate blocked entry to clients’ cPanel panels after studying of the flaw to forestall exploitation, and to offer it time to patch its customers’ systems.
HostGator additionally mentioned it patched its systems and is contemplating the bug a “crucial authentication-bypass exploit.”
One webhosting firm says it discovered proof that hackers have been abusing the vulnerability for months earlier than the makes an attempt had been found.
KnownHost CEO Daniel Pearson mentioned in a post on Reddit that his firm has seen makes an attempt to take advantage of the vulnerability way back to February 23. The corporate said it additionally briefly started blocking entry to buyer programs earlier than making use of patches.
According to Pearson, round 30 servers at KnownHost confirmed indicators of unauthorized tried entry out of hundreds of computer systems on its community. Pearson likened the efforts to makes an attempt, and has not seen indicators of lively compromise. cPanel additionally mentioned it rolled out a security fix for WP Squared, an identical software for managing WordPress web sites.
If you buy by way of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
