Hackers exploited a critical flaw in cPanel and WebHost Manager software to compromise approximately 2,000 servers as of Monday, down from 44,000 on Thursday, according to data published by Shadowserver, a nonprofit that monitors internet attacks. The vulnerability affects more than 550,000 potentially vulnerable servers still running the popular web hosting control panel, TechCrunch reported Sunday.
The flaw, tracked as CVE-2026-41940, allows attackers to take full control of vulnerable servers through their control panels. cPanel disclosed the vulnerability nearly a week ago, but exploitation began much earlier—KnownHost CEO Daniel Pearson told TechCrunch his company detected attacks dating back to February 23, more than two months before public disclosure.
The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Thursday and ordered federal agencies to patch their systems by Sunday, May 4.
Ransomware Attacks Surface Through Google Search Results
Security researchers first detected mass exploitation on Thursday, when hundreds of compromised websites began displaying ransom notes. Bleeping Computer reported that Google indexed dozens of sites showing messages from attackers claiming to have encrypted victim files. Some of those sites have since returned to normal operation, according to the report.
The ransom note included a chat identifier for victims to contact the attackers, who did not respond to TechCrunch's request for comment. The extent of data encryption or theft remains unclear, though the visible Google index entries suggest at least some attacks progressed beyond initial server access.
cPanel acknowledged TechCrunch's request for comment but did not provide a statement by publication time. The company has not disclosed how many customers installed the patch in the week since disclosure or whether it has evidence of earlier compromise attempts.
Timeline Suggests Months of Undetected Access
The gap between KnownHost's February 23 detection and cPanel's late-April disclosure raises questions about how long attackers maintained access to vulnerable servers before security teams identified the campaign. Agency owners managing client hosting infrastructure on cPanel-based shared hosting environments face potential exposure if hosting providers delayed patching or if clients run dedicated cPanel instances.
Shadowserver's count of 550,000 potentially vulnerable servers has remained stable for several days, suggesting many cPanel installations have not yet applied the available patch. The drop from 44,000 compromised instances on Thursday to 2,000 on Monday indicates either successful remediation by hosting providers or attackers shifting tactics after public disclosure drew attention to their campaign.
CISA's Known Exploited Vulnerabilities catalog carries binding directives for federal agencies but serves as a reference for private sector organizations. The agency previously flagged actively exploited cPanel authentication bypass vulnerabilities, establishing a pattern of targeting that makes the control panel software a persistent concern for WordPress agencies relying on shared hosting providers.
Reading Between the Lines
WordPress agencies running client sites on cPanel-based hosting infrastructure should verify patch status with their hosting providers immediately, particularly if managing dedicated server instances where patching responsibility falls to the agency rather than the host. The February detection timeline means attackers potentially had months to establish persistence mechanisms that survive simple patching—agencies should treat any cPanel instance from this period as potentially compromised and conduct full security audits rather than relying solely on software updates.
The attack demonstrates why agencies building automated compliance and risk controls gain operational advantage beyond basic security hygiene. Monitoring for indicators of compromise across client infrastructure catches exploitation attempts before they escalate to ransomware deployment, but manual security processes struggle to scale across dozens or hundreds of client sites.
For agencies evaluating hosting infrastructure decisions, this incident underscores the hidden operational cost of shared hosting platforms where patching timelines depend on provider action rather than agency control. White-label development teams managing client infrastructure need documented patch verification procedures and escalation paths when hosting providers fail to address critical vulnerabilities within 24 hours of disclosure—a standard CISA imposes on federal agencies but that few commercial hosts match.