Nearly 9,000 Hosts Are Seeing Ransomware on Their cPanels Right Now

Raise your hand if you knew attackers may have been exploiting a critical cPanel flaw since February. If you haven’t, it may be because the company only began taking remediation steps this past weekend.

On April 28, WebPros — cPanel’s parent company — disclosed CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel, WHM, and WP Squared that lets an attacker gain full administrative access to any affected server. So far, at least 8,859 servers/devices showed signs that their files had been encrypted by ransomware.

Canada’s government even issued a formal advisory on April 29 warning that exploitation was “highly probable” and that immediate action was required from anyone running cPanel — which obviously includes hosting providers.

At the time of publication, the exploitation is still ongoing: At least three separate groups are actively exploiting the vulnerability right now, including a .sorry ransomware, Mirai botnet, and a campaign targeting military and government domains in the Philippines and Laos, according to Ctrl-Alt-Intel.

A small hosting provider out of Alabama says that by the time cPanel released its emergency patch on April 28, attackers had been abusing the vulnerability for nearly two months. That provider is KnownHost — and its CEO, Daniel Pearson, posted about it on Reddit.

He said that in mid-April, his team found around 30 exploitation attempts dating back to Feb. 23 — possibly even before cPanel noticed. Other hosting providers, including Namecheap and HostGator, patched their systems within the weekend.

Here’s a look at the timeline:

For anyone who’s in hosting but severely on the non-development side, don’t worry — we’ll keep it simple.

The vulnerability lives inside of how cPanel’s service daemon handles pre-authentication session files. When someone attempts to log in and it fails, cPanel still writes the session down and returns a session cookie to the user.

An attacker can manipulate that cookie by omitting an expected value and injecting \r\n characters. The session file gets written, allowing the attacker to insert properties like successful_internal_auth_with_timestamp, which cPanel then reads back as proof the user already authenticated.

The approximately two-week gap is blurry at best: cPanel received the initial report on April 14, but its public advisory didn’t come out until April 28.

According to a webhosting.today source, “the vulnerability had been reported to cPanel approximately two weeks before the April 28 public advisory, and that cPanel’s initial response was that nothing was wrong.”

Obviously, standard protocol is to notify anyone affected by a data or security risk. But we unfortunately don’t have enough information at this point to confirm whether WebPros had previous awareness of exploitation before late April.

watchTowr Labs’ proof of concept (a working example of how far the exploit could go) came out on April 29, one day after cPanel’s patch. By the 30th, tens of thousands of IPs were already scanning the internet for unpatched cPanel systems.

• Patch immediately: If you’re running any version of cPanel or WHM released after 11.40, you need to update now
• Restart cpsrvd after patching: cPanel specifically recommends this step
• Check for compromise: cPanel released a detection script that scans session files; watchTowr also released a Detection Artifact Generator
• Block access to ports 2083, 2087, 2095, and 2096: This is if you can’t patch immediately — it’s the workaround Namecheap had to use before the patch became available
• If anything is compromised, start over: Security firm Nocinit said it’s always the safer call to rebuild if there’s any confirmed compromise

If you’re not sure whether you’ve been compromised, try using cPanel’s detection script. If it comes back with a Critical or Warning message, your server may be compromised. You’ll have to move to a clean server or reinstall the OS and restore from your backups.