cPanel Zero-Day Exploited Against 44,000 Servers Worldwide

Over 44,000 servers have been compromised in an ongoing campaign exploiting CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager (WHM). According to

, attackers are actively exploiting the zero-day flaw that provides unauthenticated access to administrative controls across affected systems.

The vulnerability, disclosed on April 28, allows attackers to bypass authentication using special characters in authorization headers. Once exploited, threat actors gain complete administrative access to cPanel installations, enabling them to compromise all configurations, databases, and websites managed by the platform.

Massive Scale of Exploitation

The attack campaign has reached unprecedented scale for a cPanel vulnerability. SecurityWeek reported that The Shadowserver Foundation initially tracked 44,000 unique IP addresses conducting scanning and exploitation attempts against their honeypot sensors. The United States hosts the majority of compromised systems, followed by France and the Netherlands.

Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, representing a massive attack surface for continued exploitation. The vulnerability affects all cPanel versions after 11.40, making the potential impact enormous across hosting providers and web administrators globally.

Exploitation activity spiked significantly after WatchTowr published technical details of the vulnerability, providing attackers with the information needed to develop reliable exploits.

Technical Details and Attack Vector

CVE-2026-41940 exploits a flaw in cPanel’s session handling mechanism. Attackers can inject special characters into authorization headers to write parameters directly to session files. By triggering a reload of the compromised session file, the injected administrative credentials authenticate the attacker with full system privileges.

The vulnerability was likely exploited as a zero-day since late February, months before its public disclosure. This extended exploitation window allowed attackers to compromise systems while administrators remained unaware of the security flaw.

Once authenticated, attackers can modify server configurations, access sensitive databases, install malicious software, and potentially pivot to other systems within the network. The administrative access also enables data theft and the deployment of additional attack tools.

Healthcare Sector Under Attack

The healthcare industry continues facing severe cybersecurity challenges, with Sandhills Medical Foundation disclosing a ransomware attack affecting nearly 170,000 individuals. The South Carolina-based healthcare provider discovered the Inc Ransom attack on May 8, 2025, but only disclosed the incident publicly after nearly one year of investigation.

Compromised data includes names, Social Security numbers, driver’s licenses, financial information, and personal health records. The Inc Ransom group subsequently listed Sandhills Medical on its leak website and made stolen files available for download.

This incident highlights the ongoing targeting of healthcare organizations, which often struggle with legacy systems and limited cybersecurity resources while maintaining critical patient care operations.

Ransomware Groups Turn on Each Other

In an unusual development, two ransomware groups recently attacked each other, providing security researchers with rare insights into cybercriminal operations. Dark Reading reported that 0APT and KryBit engaged in a feud that exposed both groups’ infrastructure and operational data.

0APT initially emerged with a fabricated list of nearly 200 victims before going quiet for months. The group reemerged in mid-April, targeting established ransomware operators including KryBit, Everest, and RansomHouse. KryBit had launched in late March, offering ransomware-as-a-service kits targeting Windows, Linux, ESXi, and network-attached storage devices.

The conflict between these groups demonstrates the competitive and unstable nature of the ransomware ecosystem, where criminal organizations frequently turn against each other over territorial disputes and profit-sharing disagreements.

Flawed Ransomware Acts as Data Wiper

The Vect 2.0 ransomware contains a critical design flaw that causes it to permanently destroy files larger than 128KB instead of encrypting them for ransom. Check Point Software discovered that the malware’s ChaCha20-IETF encryption scheme generates four random nonces for large files but only stores the final nonce needed for decryption.

This flaw effectively transforms Vect 2.0 into a wiper for enterprise assets including virtual machine disks, databases, documents, and backups. The design error makes recovery impossible even if victims pay the ransom, as three of the four decryption keys are permanently lost.

The ransomware has been deployed against victims of TeamPCP supply chain attacks, but the encryption flaw significantly reduces its effectiveness as an extortion tool while maximizing damage to targeted organizations.

Law Enforcement Strikes Back

Three US cybersecurity professionals received prison sentences for their roles in BlackCat ransomware attacks. SecurityWeek reported that Ryan Goldberg and Kevin Martin each received 4-year sentences, while Angelo Martino awaits sentencing in July.

The three men worked at cybersecurity firms as ransomware negotiators before turning to cybercrime. They used BlackCat and Alphv ransomware to target victims, keeping 80% of ransom payments while paying 20% to the criminal operation’s administrators. Authorities said the group received approximately $1.2 million from one victim.

The BlackCat operation targeted over 1,000 organizations between November 2021 and December 2023 before law enforcement disrupted the group. The US government continues offering a $10 million reward for information on key BlackCat members.

What This Means

The cPanel zero-day exploitation demonstrates how quickly attackers can weaponize newly disclosed vulnerabilities at massive scale. With 1.5 million potentially vulnerable instances worldwide, this campaign represents one of the largest web hosting security incidents in recent years.

The healthcare sector’s continued struggles with ransomware attacks highlight the need for improved cybersecurity investments and incident response capabilities in critical infrastructure sectors. The year-long delay in Sandhills Medical’s disclosure also raises questions about notification requirements and transparency standards.

The infighting between ransomware groups and the flawed Vect 2.0 implementation suggest that the cybercriminal ecosystem faces internal challenges that may create opportunities for law enforcement and defensive operations. However, the successful prosecution of insider threats demonstrates that the threat landscape includes risks from trusted cybersecurity professionals.

FAQ

How can organizations protect against the cPanel vulnerability?
Administrators should immediately update to patched cPanel versions including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, and 11.130.0.19. Organizations should also follow cPanel’s guidance for identifying and addressing potential compromises.

What makes the Vect 2.0 ransomware particularly dangerous?
Vect 2.0 permanently destroys files larger than 128KB due to a design flaw in its encryption scheme. This makes recovery impossible even if victims pay the ransom, as the necessary decryption keys are lost during the encryption process.

Why did the BlackCat ransomware case result in prison sentences for cybersecurity professionals?
The three defendants worked as ransomware negotiators at cybersecurity firms but secretly conducted their own ransomware attacks using BlackCat malware. They pleaded guilty to conspiracy charges after receiving over $1.2 million from victims while paying 20% to the criminal operation’s administrators.