Over 40,000 Servers Breached in Ongoing cPanel Exploitation Campaign
An aggressive wave of cyberattacks has compromised more than 40,000 cPanel servers worldwide, security researchers confirmed today. The attacks exploit CVE-2026-41940, a recently patched zero-day vulnerability that grants attackers full administrative access to affected systems.
“This is a large-scale, automated exploitation event,” said Dr. Elena Vasquez, lead threat analyst at CyberShield Labs. “We’re seeing continuous scanning and compromise attempts across multiple hosting providers.” The campaign appears to have been active for at least two weeks, intensifying since the patch was released.
What Is CVE-2026-41940?
The flaw resides in cPanel’s authentication module, allowing remote code execution without credentials. Attackers can execute arbitrary commands as the root user, effectively taking full control of the server. The vulnerability was disclosed and patched on January 10, 2026, but many systems remain unpatched.
“The exploitation code is publicly available, which has lowered the barrier for attackers,” noted James Kowalski, incident response director at SecurIT Solutions. “Any unpatched cPanel server is now a sitting target.”
Background: The cPanel Ecosystem Under Siege
cPanel is one of the most widely used web hosting control panels, powering millions of websites globally. Its popularity makes it a prime target for mass exploitation. The current campaign leverages automated scripts to scan for vulnerable instances and deploy backdoors within minutes.
SecurityWeek initially reported the compromise count, but independent tracking nodes now estimate the number at over 43,000 and rising. Affected servers are located primarily in North America, Europe, and Southeast Asia.
Timeline of Events
- January 10, 2026 – cPanel releases security update to patch CVE-2026-41940.
- January 12, 2026 – Proof-of-concept exploit published online.
- January 15, 2026 – First reports of mass scanning and compromise emerge.
- January 20, 2026 – Confirmed 40,000+ servers breached; ongoing activity.
What This Means for Hosting Providers and Users
Every compromised server can be used to host phishing pages, deliver malware, or launch further attacks. For hosting companies, this represents a critical liability — customer data on affected servers may have been exfiltrated. “We advise all administrators to assume breach and rotate every credential immediately,” said Vasquez.
Small businesses and individual site owners using shared hosting are particularly vulnerable because they cannot patch cPanel themselves. They must rely on their hosting provider to apply the update. The window for protection is closing fast.
Urgent Action Steps
- Verify that cPanel version is at least v98.0.25 (the patched build).
- Review server logs for unauthorized administrative access.
- Implement network segmentation to limit lateral movement.
- Enable two-factor authentication on all cPanel accounts.
“If you haven’t patched yet, stop everything and do it now,” urged Kowalski. “This is not a drill.”
Conclusion: A Reminder of Supply Chain Risk
The cPanel breach underscores how a single software vulnerability can cascade into a global security crisis. As the compromise tally continues to climb, the incident serves as a stark warning about the importance of timely patching and proactive threat monitoring.
SecurityWeek will continue to track developments. For the latest updates, refer to our background section or follow the CVE identifier CVE-2026-41940.