cPanel bug – Misryoum reports that attackers continue exploiting a critical cPanel/WHM flaw, with evidence of compromised instances and ongoing recovery efforts.
A critical cPanel vulnerability is still being used by attackers, and it is continuing to put a large number of websites at risk, Misryoum reports.
For days after cPanel and WHM maintainers flagged the issue. hostile actors have kept moving toward servers that run the affected software.. Misryoum notes that internet-wide monitoring shows a large pool of potentially vulnerable installations. alongside a smaller but growing set of systems believed to be compromised.
In this context, the main danger is not just initial intrusion but what comes after: once attackers gain control through the exposed control-panel pathway, they can disrupt operations, alter content, or set the stage for extortion.
Cybersecurity researchers warned that the flaw, tracked as CVE-2026-41940, was being actively exploited.. The issue was added to a widely used catalog of known, in-the-wild vulnerabilities, and urgent patching guidance was issued.. Misryoum also highlights that the attackers appear to have targeted environments well before the vulnerability became widely known. suggesting criminals may have been preparing access earlier than public alerts.
While the full scope of outcomes varies by site. visible signs of ransomware activity have been documented across some affected webpages.. In multiple cases, victims were met with demands that included a contact identifier for negotiations.. Some of those sites later returned to normal operation, but that does not necessarily mean the underlying compromise was removed.
From an operational standpoint. this is a reminder that patching alone may not be enough if a server was already controlled.. Organizations often need to verify logs. confirm integrity of affected systems. and validate that any persistence mechanisms introduced by attackers are fully removed.. The cost of delay can be far higher than the time required to update.
Misryoum also points out that the response time matters: defenders have to reach remediation quickly. especially when public exploits spread and attackers iterate.. Even when the number of compromised instances appears to fluctuate. the continuing exploitation signals that attackers remain active and the opportunity window is still open.
The bigger takeaway for website owners and hosting teams is clear: keep cPanel/WHM patch routines tight, monitor for abnormal changes, and treat control-panel access as high-value. As long as vulnerable systems remain online, attackers will keep testing and compromising new targets.