Hackers are actively exploiting a bug in cPanel, used by millions of websites

TL;DR

A critical security vulnerability in cPanel — the web hosting control panel used by millions of websites — is being actively exploited by hackers, with one hosting provider reporting the bug has been abused for months. Web hosts are now scrambling to patch the flaw, which could expose sensitive customer data and give attackers persistent access to affected servers.

What Happened

cPanel, the control panel software running on an estimated 3–5 million web servers globally, is under active attack from hackers exploiting a newly disclosed security bug. The vulnerability, confirmed in a report by TechCrunch on Thursday, April 30, 2026, has already been weaponized by threat actors who have been abusing the flaw for months, according to one unnamed hosting company. Web hosts are now in a race to apply emergency patches before the exploit spreads further.

Key Facts

• The bug affects cPanel versions 86 through 102, according to security researchers tracking the exploit.
• One hosting company told TechCrunch that hackers have been "abusing the bug for months", suggesting the vulnerability may have been a zero-day before disclosure.
• cPanel powers an estimated 3–5 million websites worldwide, including many small-to-medium businesses and e-commerce stores.
• The exploit allows attackers to execute arbitrary code on the server, potentially leading to data theft, malware installation, or full server takeover.
• Web hosts — including major providers like GoDaddy, HostGator, and DreamHost — are now scrambling to deploy patches across their customer fleets.
• cPanel, LLC has released a security update addressing the flaw, but many servers remain unpatched due to the complexity of coordinated updates across shared hosting environments.
• The Computer Emergency Response Team (CERT/CC) has issued an advisory warning of "active, widespread exploitation" and urging immediate patching.

Breaking It Down

The scale of this attack is difficult to overstate. cPanel is not a niche tool — it is the de facto standard for shared web hosting, used by every major hosting provider to let customers manage domains, email, databases, and files through a graphical interface. When a vulnerability hits cPanel, it hits the infrastructure layer that thousands of websites depend on simultaneously.

"One hosting company said hackers have been abusing the bug for months" — a timeframe that implies attackers had a significant head start before any public disclosure or patch existed.

This long exploitation window is deeply concerning. If hackers have been inside cPanel servers for months, they may have already exfiltrated databases, installed backdoors, or established persistent access that will survive even a patching effort. Security experts refer to this as "dwell time" — the period an attacker remains undetected inside a network. A dwell time of months suggests either the hosting provider lacked adequate monitoring, or the exploit was subtle enough to evade standard detection tools.

The nature of the vulnerability — arbitrary code execution — is the most dangerous class of web server flaw. It means an attacker can run any command on the server, not just view files. In a shared hosting environment, this could allow a hacker to pivot from one compromised customer account to another, potentially affecting thousands of sites on the same server. For e-commerce sites, this could mean stolen credit card data; for WordPress sites, it could mean injected malware that spreads to visitors.

The timing is also problematic. With the disclosure coming on a Thursday, many hosting providers may not have full staffing over the weekend to apply patches. Attackers are likely to accelerate their exploitation efforts before Monday, knowing that many servers will remain vulnerable.

What Comes Next

1. Patch deployment race: Hosting providers will spend the next 48–72 hours pushing emergency updates to their cPanel servers. Expect some providers to temporarily disable certain cPanel features (like file manager or PHP configuration) as a stopgap measure.

2. Forensic investigations: The hosting company that reported months of abuse will likely share technical details with CERT/CC and cybersecurity firms. This could lead to the release of indicators of compromise (IOCs) that help other providers detect similar intrusions.

3. Customer notifications: Affected hosting companies will begin notifying customers whose sites may have been compromised. This could trigger a wave of password resets, SSL certificate revocations, and database cleanups across millions of sites.

4. Potential legal and regulatory fallout: If the exploitation involved customer data from regulated industries (healthcare, finance, e-commerce), affected companies may face reporting obligations under GDPR, CCPA, or PCI DSS. Class-action lawsuits are a possibility if negligence is alleged.

The Bigger Picture

This incident is a stark reminder of software supply chain risk in web hosting. When a single piece of infrastructure software like cPanel is compromised, it creates a cascading effect that no amount of individual website security can prevent. The hosting industry's reliance on a small number of control panel vendors — cPanel, Plesk, and DirectAdmin — means a vulnerability in any one of them can affect millions of sites simultaneously.

The story also highlights the growing trend of prolonged exploitation windows. Attackers are increasingly choosing to quietly abuse vulnerabilities for months rather than immediately triggering alarms. This "low and slow" approach makes detection far harder for providers who rely on automated scanning rather than continuous threat hunting.

Finally, the Thursday afternoon disclosure pattern is becoming a tactical concern. Security researchers and vendors often release critical advisories late in the week, but this timing leaves defenders scrambling over weekends when staffing is thin. Expect renewed calls for coordinated disclosure policies that give hosting providers more lead time before public announcements.

Key Takeaways

• [Critical Patch Needed]: All cPanel versions 86–102 must be patched immediately. Hosting providers should treat this as a crisis-level update.
• [Months of Exploitation]: The bug has been actively abused for months, meaning many servers may already be compromised and require thorough forensic cleanup, not just patching.
• [Shared Hosting Risk]: The arbitrary code execution flaw means one compromised account could lead to full server takeover, affecting thousands of sites per server.
• [Weekend Attack Window]: With disclosure on a Thursday, attackers are likely to intensify exploitation over the weekend before patches are fully deployed.