cPanel Security Alert: Over 40,000 Servers Affected by Recent Exploits
Servers Affected by cPanel Exploitation Total Over 40,000 in Ongoing Campaign
In recent weeks, a significant number of servers have been compromised through exploitation of a critical vulnerability in cPanel & WebHost Manager (WHM).
Vulnerability Details
- The vulnerability, identified as CVE-2026-41940, allows unauthenticated attackers to gain administrative access to cPanel.
- This enables them to take control of the host system, compromise configurations, databases, and websites managed by the platform.
According to a report from The Shadowserver Foundation, a non-profit organization tracking the campaign, tens of thousands of potentially compromised systems have been detected.
The exact number is difficult to pinpoint, but the foundation estimates that over 40,000 unique IP addresses have been impacted.
Exploitation Method
- The vulnerability can be exploited via special characters in authorization headers to write parameters to a session file.
- This can then be triggered to authenticate using injected administrative credentials.
cPanel’s official advisory indicates that all versions after 11.40 are vulnerable, meaning that users should update their installations to a patched release as soon as possible and follow cPanel’s guidelines for identifying and addressing potential compromises.
Affected Regions
- The most commonly affected systems are located in the United States.
- France and the Netherlands are also notable hotspots for compromised cPanel instances.
CISA has added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, advising federal agencies to address the vulnerability within four days.
Recommendations
- Users who have not yet patched their systems are urged to do so promptly, as the risk of further exploitation remains high.
- Regularly updating software, applying patches, and conducting thorough security audits can help prevent similar vulnerabilities from being exploited in the future.
About Author
English