cPanel Hacked for Months: What Happened and How to Protect Your Sites Now

cPanel Hacked for Months: What Happened and How to Protect Your Sites Now

If you run a website on shared hosting, chances are good that it sits behind cPanel. This popular control panel helps millions of site owners manage files, emails, databases, and more without needing deep technical skills. But in late April 2026, a serious security problem came to light that has many webmasters worried.

Security researchers and hosting companies discovered a critical vulnerability in cPanel and its companion tool WHM (Web Host Manager). The flaw, tracked as CVE-2026-41940, lets attackers bypass the login screen completely. No username or password needed. Once inside, they can gain full root-level access to the server.

What makes this case especially concerning is how long the issue went unnoticed in the wild. One major hosting provider, KnownHost, reported seeing exploitation attempts as early as February 23, 2026. That means hackers had roughly two months to probe and abuse the bug before cPanel released a fix on April 28.

How Bad Is the Vulnerability?

This bug carries a CVSS score of 9.8 out of 10, which puts it in the highest danger category. It affects all supported versions of cPanel and WHM. Roughly 1.5 million cPanel instances are visible on the public internet, according to scans, so the potential reach is huge.

When attackers succeed, they can:

• Access and modify any website on the server

• Steal databases containing user information

• Create new email accounts and send spam

• Install malware or backdoors

• In some cases, deploy ransomware that encrypts files

Some hosting companies reported that attackers used the access to drop web shells and exfiltrate data. Others saw signs of attempted root sessions in their logs. While not every server showed full compromise, the window of opportunity lasted long enough for serious damage on vulnerable systems.

Why Did It Take So Long to Patch?

Zero-day exploits like this often stay quiet while attackers test them on a small scale. Hosting providers only noticed widespread attempts after the bug became public knowledge. Once the details emerged, several companies quickly blocked cPanel and WHM ports to buy time while they rolled out patches across their networks.

cPanel's parent company, WebPros, pushed emergency updates for cPanel, WHM, and even the related WP Squared tool for WordPress management. Many hosts advised customers to update immediately and restart the cpsrvd service.

What Should You Do Right Now?

If your site runs on cPanel hosting, do not wait for your provider to contact you. Take these steps today:

1. Contact your host and ask whether they have applied the latest security update for CVE-2026-41940. Confirm they restarted services after patching.

2. Check your own access logs if you have WHM or reseller access. Look for unfamiliar login attempts or sessions from unknown IP addresses, especially successful root logins.

3. Review your websites for suspicious files, new admin accounts, or unexpected changes in databases. Malware scanners and tools like cPanel's Security Investigator can help.

4. Restore from clean backups if you suspect any compromise. A full restore to a date before late February is often the safest route on shared servers.

5. Strengthen basic security going forward. Use strong, unique passwords, enable two-factor authentication wherever possible, keep all software and plugins updated, and consider a web application firewall.

Even if your specific server was not hit, the public proof-of-concept exploit means attacks could ramp up quickly now that the details are out.

Lessons for Website Owners and Hosts

This incident highlights an uncomfortable truth about web hosting: convenience tools like cPanel make life easier but also create a single point of failure. When a flaw hits the control panel itself, every site on that server is at risk.

Hosting companies need to move faster on security updates and improve monitoring for unusual activity. For site owners, the takeaway is simple. Rely less on "set it and forget it" setups. Regularly review your hosting security, maintain off-site backups, and stay informed about major vulnerabilities.

The internet runs on thousands of these control panels. When one gets compromised for months, it reminds us how interconnected and fragile parts of the web infrastructure can be.

Have you checked with your hosting provider yet? If your site felt slower or behaved strangely since February, it might be worth a deeper look. Share your experiences in the comments. Staying ahead of these threats is the best defense we have.