CONSENSUS WIRE
← Back to Tech & Science

Over 40,000 Servers Compromised by Critical cPanel Vulnerability

Tech & ScienceAI-Generated & Algorithmically Scored·

AI-generated from multiple sources. Verify before acting on this reporting.

More than 40,000 web servers globally were compromised in a widespread attack exploiting a critical authentication-bypass vulnerability in cPanel and WebHost Manager (WHM) software. The breach, identified on May 4, 2026, stems from CVE-2026-41940, a flaw that allows attackers to bypass authentication controls and gain unauthorized access to server systems.

The vulnerability was publicly disclosed on April 28, though evidence indicates exploitation began as early as late February, suggesting the flaw was actively targeted as a zero-day before its official announcement. The attack has primarily affected systems in the United States, with France and the Netherlands representing the next largest concentrations of compromised infrastructure.

Security researchers confirmed that the vulnerability enables threat actors to execute arbitrary code on affected servers without valid credentials. The flaw impacts cPanel and WHM, widely used control panels that manage web hosting environments for millions of websites worldwide. Once exploited, attackers can install malware, steal sensitive data, or use the compromised servers as launchpads for further attacks.

The scale of the compromise underscores the urgency of patching affected systems. cPanel has released updates addressing the vulnerability, urging administrators to apply patches immediately. However, the rapid spread of the exploit indicates that many systems remained unpatched during the window between the vulnerability's discovery and its public disclosure.

Network traffic analysis shows a sharp increase in exploitation attempts beginning in late February, coinciding with the suspected zero-day period. The attack vector involves sending specially crafted requests to vulnerable instances of cPanel and WHM, bypassing login requirements and granting full administrative access.

Industry experts warn that the impact may extend beyond the initial 40,000 confirmed compromised servers. Many organizations may not yet be aware their systems have been breached, particularly if attackers have maintained persistent access without triggering immediate alarms. The potential for data exfiltration, ransomware deployment, or inclusion in botnets remains a significant concern.

Government agencies and cybersecurity firms are urging web hosting providers and system administrators to verify their systems have been updated. The incident highlights the risks associated with widely deployed software containing unpatched vulnerabilities, particularly when exploited before public disclosure.

As of May 4, the full extent of the damage remains unclear. Investigators are working to determine whether the compromised servers were used for further malicious activities and whether sensitive data was accessed or exfiltrated. The timeline of the exploitation and the identity of the threat actors behind the campaign have not been confirmed.