A critical security flaw in cPanel and WebHost Manager (WHM) has become the focal point of a widespread exploitation campaign, leaving thousands of websites compromised. Since the vulnerability was publicly disclosed, threat actors have been actively targeting servers that have failed to implement necessary security patches, effectively gaining full control over administrative panels and the hosted data within them.

Data indicates that over 550,000 servers remain potentially exposed to the vulnerability, identified as CVE-2026-41940. While the number of active compromises fluctuates, thousands of instances have already fallen victim to unauthorized access. Evidence of the breach includes the appearance of ransom notes on various websites, suggesting that attackers are leveraging the exploit to encrypt files and demand payment for recovery, though some affected sites have since been restored to normal operations.

Government security agencies have officially recognized the severity of the situation, adding the flaw to the Known Exploited Vulnerabilities catalog and mandating urgent remediation for federal systems. Investigative analysis suggests that the exploitation of this bug may have been occurring covertly for weeks before the public alert was issued, with some security telemetry tracing malicious activity back to late February.

Administrators and web hosts are being urged to update their software immediately to mitigate the risk of further hijacking. The incident underscores the persistent threat posed by unpatched infrastructure, as attackers continue to automate the discovery and exploitation of widely used server management tools.