Hackers are actively exploiting a bug in cPanel, which is used by millions of websites

Security researchers have raised the alarm over a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM).

This flaw allows hackers to infiltrate and take full control of the servers running the affected software, which are believed to be used by tens of millions of website owners around the world.

Many commercial web hosting companies have already patched their customers’ systems. But the maker of cPanel urged customers to make sure their systems are patched because the bug affects all supported versions of the software.

cPanel and WHM are two sets of software used to manage web servers that host websites, manage emails, and handle important configurations and databases needed to maintain an Internet domain. Both groups have deep access to the servers they manage, allowing the malicious hacker unfettered access to data managed by the affected software.

The bug, officially tracked as CVE-2026-41940, allows malicious hackers to remotely bypass the login screen to gain full access to the software’s administration panel.

Since cPanel and WHM are ubiquitous across the web hosting industry, hackers can compromise a large number of websites that have not patched the error.

The flaw could be exploited to hack websites located on shared hosting servers, such as large web hosting companies, Canada’s National Cybersecurity Agency said in an advisory.

The agency said that “exploitation is highly likely” and that immediate action by cPanel customers, or their web hosts, is necessary to prevent malicious access.

Web hosting company Namecheap, which uses cPanel to let its customers manage their own web servers, said the company blocked access to customers’ cPanel panels after learning of the flaw to prevent exploitation, and to give it time to patch its customers’ systems.

HostGator also said it has patched its systems and considers the vulnerability a “critically important authentication bypass exploit.”

One web hosting company says it has found evidence that hackers were abusing the vulnerability for months before the attempts were discovered.

Daniel Pearson, CEO of KnownHost, said in a post on Reddit that his company has seen attempts to exploit the vulnerability since February 23. The company said it also briefly began blocking access to customer systems before applying patches.

According to Pearson, about 30 servers at KnownHost showed signs of attempting to gain unauthorized access to thousands of computers on its network. Pearson likened the efforts to attempts, and saw no signs of active settlement. cPanel also said it has rolled out a security fix for WP Squared, a similar tool for managing WordPress sites.