Security researchers are sounding the alarm about newly discovered vulnerabilities in the widely used web server management software cPanel and WebHost Manager (WHM).
This bug allows hackers to take over and take complete control of servers running affected software. It is believed that this server is used by tens of millions of website owners around the world.
Many commercial web hosting companies have already patched their customers’ systems. However, the cPanel maker urged customers to ensure their systems are patched, as the bug affects all supported versions of the software.
cPanel and WHM are two software suites used to manage web servers that host websites, manage email, and handle the critical configuration and databases needed to maintain an Internet domain. Both suites have deep access to the servers they control, potentially giving malicious hackers unrestricted access to data managed by the affected software.
The bug, officially tracked as CVE-2026-41940, allows malicious hackers to remotely bypass the login screen and gain full access to the software’s admin panel.
Given the prevalence of cPanel and WHM software throughout the web hosting industry, hackers could potentially compromise a large number of websites that do not have the bugs fixed.
Canada’s National Cyber Security Agency said in an advisory that the bug could be exploited to compromise websites on shared hosting servers, including those of major web hosting companies.
The agency said the “potential for abuse is very high” and immediate action is needed by cPanel customers or their web hosts to prevent malicious access.
Web hosting giant Namecheap, which uses cPanel to help customers manage their web servers, said it blocked customers’ access to its cPanel panel after learning of the flaw to prevent abuse and give customers time to patch their systems.
HostGator also said it has patched its systems and considers the bug a “serious authentication bypass exploit.”
One web hosting company said it had found evidence that hackers were exploiting the vulnerability months before the attempt was discovered.
KnownHost CEO Daniel Pearson said in a Reddit post that the company had been aware of attempts to exploit the vulnerability since February 23rd. The company also said it began temporarily blocking access to customers’ systems before applying the patch.
Of the thousands of computers on KnownHost’s network, about 30 servers showed signs of attempted unauthorized access, Pearson said. Pearson likened the effort to an experiment, but there were no signs of active compromise. cPanel also said it has rolled out security fixes for WP Squared, a similar tool for managing WordPress websites.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
