Hackers are actively exploiting a critical vulnerability in widely used server management software cPanel and WebHost Manager, leading to the compromise of thousands of websites. The flaw, identified as CVE 2026 41940, allows attackers to take full control of affected servers through their control panels, raising concerns across the global web hosting ecosystem.
Data released by Shadowserver Foundation shows that more than 550,000 servers remain potentially vulnerable, while about 2,000 instances have already been compromised, down from a peak of roughly 44,000 earlier in the week. Security researchers say attackers have used the vulnerability to hijack systems, with some affected websites temporarily displaying ransom messages indicating file encryption.
The Cybersecurity and Infrastructure Security Agency has confirmed that the vulnerability is being actively exploited and has added it to its Known Exploited Vulnerabilities catalogue, urging organisations to apply patches immediately. Evidence suggests the attacks may have started weeks before public disclosure, with hosting provider KnownHost reporting suspicious activity dating back to February.
While some compromised websites have since been restored, experts warn that unpatched systems remain at risk. The incident underscores ongoing challenges in securing widely deployed infrastructure software, where delays in patching can expose large numbers of organisations to coordinated cyberattacks.