CRITICAL ALERT: 1.5 Million cPanel Servers Exposed to Passwordless Hack — Cybercriminals Had Full Access for Over 2 Months

Follow

( 0 Followers )

X

Follow

E-mail : *

Follow Unfollow

A devastating cybersecurity flaw in cPanel, one of the world’s most widely used web hosting control panels, has reportedly exposed an estimated 1.5 million servers to full administrative takeover without requiring passwords, triggering urgent warnings across the global web hosting industry.

The critical vulnerability, identified as CVE-2026-41940 and rated 9.8 out of 10 on the CVSS severity scale, allowed attackers to gain root-level access simply by injecting two hidden CRLF characters (\r\n) into specially crafted login requests. Security analysts say the flaw may have been actively exploited since February 23, 2026, more than two months before an official patch was released on April 28.

According to cybersecurity researchers, the exploit took advantage of improper sanitization in cPanel’s session file handling process. By inserting forged values such as user=root and hasroot=1 into temporary session files, attackers could manipulate the authentication system into granting unrestricted access, effectively bypassing password checks entirely.

In technical terms, a simple formatting oversight reportedly transformed cPanel’s authentication mechanism into an open gateway for cybercriminals, potentially exposing millions of websites hosted on vulnerable servers.

cPanel has long been a backbone of the global web hosting ecosystem, powering hosting environments for major providers including Namecheap, HostGator, Bluehost, and countless smaller hosting companies. Because each vulnerable server may host dozens or even hundreds of websites, experts warn the real number of impacted websites could stretch into the tens of millions.

Security estimates indicate:

Around 1.5 million to over 2 million cPanel instances may have been exposed

Attackers may have exploited the flaw for at least 64 days

Tens of millions of websites were potentially placed at risk

Ransomware extortion attempts have already been reported, including one demand of $7,000

The severity of the breach has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to reportedly add the flaw to its Known Exploited Vulnerabilities catalog, while cybersecurity agencies worldwide have urged immediate patching and investigation.

Cybersecurity firm watchTowr Labs, which reportedly analyzed the vulnerability, described the flaw as a stark reminder of how even minor coding oversights can create catastrophic zero-day threats affecting the wider internet.

In response, several hosting providers have temporarily restricted access to cPanel ports 2083 and 2087 while deploying emergency security patches to customers.

Website owners using cPanel are strongly advised to take immediate protective action by confirming their hosting provider has installed the April 28 patch, enabling two-factor authentication, changing all administrative credentials, reviewing activity logs for suspicious access from late February through April, and assessing whether shared hosting remains appropriate for business-critical infrastructure.

The incident underscores the enormous risks posed by vulnerabilities in core internet infrastructure. While the security patch may have closed the front door, cybersecurity experts warn that attackers who already gained access could still leave behind malware, backdoors, or ransomware.

For millions of website owners, the immediate priority is no longer just prevention — it is determining whether their systems were silently compromised during one of the most dangerous hosting vulnerabilities in recent memory.