44,000 Web Servers Hit by cPanel Vulnerability CVE-2026-41940

A critical authentication bypass vulnerability in cPanel and WebHost Manager is under active mass exploitation. CVE-2026-41940 allows attackers to gain admin access to web hosting servers without credentials, and threat actors have wasted no time putting it to use. The Shadowserver Foundation has identified over 44,000 unique cPanel-related IPs involved in scanning, exploitation, and brute-force attacks as of April 30, 2026. If your business website runs on shared hosting, you need to verify that your hosting provider has patched.

What cPanel Is and Why This Matters to Your Business

Most business owners never interact with cPanel directly, but there’s a good chance it runs behind the scenes. cPanel is the control panel software that powers a large share of web hosting services worldwide. When you log into your hosting provider’s dashboard to manage email accounts, upload files, or view website statistics, you’re often using cPanel or a reskinned version of it.

cPanel paired with WebHost Manager (WHM) is the standard management stack for shared hosting, VPS hosting, and dedicated server environments. Thousands of Texas businesses have company websites, client portals, and email services running on cPanel-managed servers, often through hosting providers like HostGator, Bluehost, GoDaddy, A2 Hosting, and hundreds of smaller regional hosts.

CVE-2026-41940 is an authentication bypass that lets attackers gain full administrative access to cPanel/WHM servers without any credentials. Once inside, they have complete control over every website, database, and email account hosted on that server. For shared hosting customers, that means a single compromised server can affect dozens or hundreds of business websites at once.

Three Active Attack Campaigns Are Underway

According to the Shadowserver Foundation dashboard and the cPanel security advisory, at least three distinct threat actor groups are exploiting this vulnerability simultaneously. (Additional reporting from Help Net Security and The Hacker News.)

• “Sorry” ransomware deployment. A Go-based Linux ransomware strain is being deployed on compromised servers. Encrypted files receive a .sorry extension. Critically, attackers are deleting backups stored on the same server before encrypting, which means businesses relying on their hosting provider’s built-in backup feature may lose everything.
• Mirai botnet enrollment. Compromised servers are being enrolled into Mirai botnets for cryptocurrency mining and distributed denial-of-service attacks. Your business website could be participating in attacks against other organizations without your knowledge.
• Nation-state espionage. Security researchers have identified government-linked threat actors targeting hosting providers that serve government agencies and managed service providers, using the access to conduct surveillance and data theft.

The timeline has been aggressive. cPanel released patches on April 28, 2026, but exploitation activity was already widespread by that point. Two weeks after the first reports of probing, the vulnerability had escalated to mass exploitation across multiple threat groups. Many hosting providers have still not applied the patches.

How to Check If Your Business Is Affected

You don’t need to be technical to take these steps. If your business has a website on hosted infrastructure, work through this checklist this week.

1. Ask Your Hosting Provider If They’ve Patched

Send your hosting provider a direct question: “Have you applied the patch for CVE-2026-41940 on all cPanel/WHM servers?” Don’t accept vague assurances like “we keep our systems up to date.” You need a specific yes or no answer referencing this CVE. If they can’t confirm, consider that a red flag.

If you manage your own server with cPanel, log into WHM and check Home > Server Information > cPanel Version. cPanel released the fix in versions 11.120.0.23 and later. Any version older than that is vulnerable.

2. Check Your Website for Signs of Compromise

Review your website and hosting environment for these indicators:

• Files with a .sorry extension anywhere on your server, which indicates the Sorry ransomware has already executed
• Unfamiliar files or directories in your web root, particularly PHP files you did not upload
• New or unfamiliar cPanel user accounts that your team did not create
• Website content that has been modified, including defacement, injected links, or redirects to unfamiliar domains
• Unusual resource usage reported by your hosting provider, such as CPU or bandwidth spikes that could indicate cryptomining

If you spot any of these signs, contact your hosting provider immediately and engage your IT security team. Do not attempt to clean up the compromise yourself without first preserving evidence for investigation.

3. Verify Your Backups Are Intact and Independent

This is the most important step for businesses on shared hosting. The Sorry ransomware campaign specifically targets backups stored on the same server before encrypting production data. If your only backups live inside your hosting provider’s cPanel backup system, they may already be compromised or deleted.

Confirm that you have at least one backup of your website files and databases that is stored outside your hosting provider’s infrastructure. That could be a local copy on your office network, a separate cloud storage service, or a backup and disaster recovery solution managed independently from your web host. If you don’t have an independent backup, create one right now before doing anything else.

Why This Is a Recurring Problem

Web hosting infrastructure is a persistent blind spot for small and mid-sized businesses. Most companies treat their website as a set-and-forget asset. The hosting account was set up years ago, possibly by someone who no longer works there, and nobody reviews the hosting provider’s security practices or patch status on a regular basis.

This vulnerability follows the same pattern we’ve seen with the FortiClient EMS zero-day and the Adobe Acrobat zero-day: a critical flaw is disclosed, patches are released, and organizations that lack a systematic approach to vulnerability management get caught in the gap between disclosure and remediation.

The difference with web hosting is that you’re dependent on a third party to apply the patch. Unlike software on your own endpoints, you can’t patch your hosting provider’s server yourself. That makes the “ask your provider” step non-optional, and it makes choosing hosting providers with strong security track records a business decision worth revisiting.

What to Do This Week

1. Contact your hosting provider and ask specifically about CVE-2026-41940 patch status
2. Check your website for signs of compromise (unfamiliar files, modified content, .sorry extensions)
3. Verify you have independent backups of your website files and databases stored outside your hosting environment
4. Review who has access to your hosting account and cPanel credentials, and rotate passwords if you haven’t recently
5. Document your hosting provider’s security practices so you know who to contact and what SLAs exist if a future vulnerability affects your site

If your IT team manages web infrastructure alongside your managed IT environment, make sure they’ve added cPanel/WHM version monitoring to their regular vulnerability scanning workflow. If nobody on your team is tracking hosting security, that gap needs to be closed.

If you need help evaluating your hosting security or investigating a potential compromise, contact our team at 800-985-1365.