Hackers Are Still Exploiting the cPanel Bug — Thousands of Websites at Risk Right

In the world of cybersecurity, few things are more alarming than a critical vulnerability in widely deployed infrastructure that remains actively exploited long after its public disclosure. The ongoing exploitation of a serious security flaw in cPanel — the web hosting control panel software that powers millions of websites and servers worldwide — is precisely that kind of alarm. Months after the vulnerability was first disclosed and a patch was made available, hackers are still successfully exploiting the bug to gain complete control of vulnerable websites and the servers they run on. The scale of the problem is significant: security researchers tracking the active exploitation campaigns estimate that thousands of websites remain compromised or actively targeted, with new victims being added regularly. For website owners, hosting companies, and the businesses that depend on web infrastructure, this is not a theoretical risk. It is an active, ongoing threat that demands immediate attention. At digital8hub.com, we break down exactly what the cPanel vulnerability involves, how hackers are exploiting it, who is at risk, and — most importantly — what you need to do right now to protect your website and your data. What Is cPanel and Why Does This Matter So Much? Before diving into the vulnerability itself, it is worth understanding why a flaw in cPanel specifically is such a significant cybersecurity event. cPanel is the world's most widely deployed web hosting control panel — a software platform that provides website owners and hosting administrators with a graphical interface for managing their web hosting environments. Through cPanel, users manage their website files, email accounts, databases, domain settings, SSL certificates, and a vast range of other hosting functions. The scale of cPanel's deployment is extraordinary. Estimates suggest that cPanel is installed on millions of servers worldwide, hosting hundreds of millions of websites across virtually every category of web presence — from small personal blogs to mid-sized business websites to significant e-commerce platforms. It is the backbone of the shared hosting industry, used by virtually every major web hosting provider as the primary interface through which their customers manage their sites. This ubiquity is precisely what makes a critical cPanel vulnerability so serious. A flaw that can be exploited across any cPanel installation is not a niche security problem — it is a systemic vulnerability that puts an enormous proportion of the world's web infrastructure at risk simultaneously. The Vulnerability: What the Bug Actually Does The cPanel vulnerability being actively exploited involves a flaw in the software's authentication and privilege escalation mechanisms — the systems that control who can access what within a hosting environment and what level of control they can exercise. The specific nature of the exploit allows attackers who gain even limited access to a hosting environment — through techniques as simple as a stolen low-privilege account credential or a phishing attack against a website administrator — to escalate their privileges dramatically, ultimately achieving root-level or administrative control over the entire server. The implications of root-level server access are severe and wide-ranging. An attacker with this level of control can: Access all website files across every site hosted on the server — including configuration files containing database credentials, API keys, and other sensitive information Steal all email processed through the server — potentially including customer communications, internal business correspondence, and authentication emails Access and exfiltrate all databases — including customer records, transaction data, user credentials, and any other information stored in the site's databases Install persistent malware — backdoors, cryptominers, spam engines, or tools for conducting further attacks against the server's visitors Redirect website traffic — sending visitors to malicious sites designed to steal their information or install malware on their devices Use the server as a launching pad for attacks against other systems — leveraging the compromised server's resources and reputation for further malicious activity The particularly dangerous characteristic of this vulnerability is the speed with which exploitation can occur. Security researchers have documented cases in which the time from initial access to full server compromise is measured in minutes — far too fast for most monitoring systems to detect and respond before significant damage has been done. Who Is Exploiting This — and How The active exploitation campaigns targeting the cPanel vulnerability are not being conducted by a single actor. Security researchers tracking the activity have identified multiple distinct threat actor groups — ranging from organised criminal enterprises focused on data theft and ransomware deployment to nation-state affiliated actors using compromised cPanel servers as infrastructure for broader espionage operations. Opportunistic Scanning The most common exploitation pattern involves automated scanning — bots systematically probing internet-facing cPanel installations for the vulnerability, attempting exploitation when a vulnerable version is detected. This scanning activity is continuous and global in scope, meaning that any unpatched cPanel installation connected to the internet is being actively tested for the vulnerability essentially continuously. Credential Stuffing A significant proportion of successful exploits begin not with the cPanel vulnerability itself but with credential stuffing attacks — using lists of stolen username and password combinations to gain initial access to cPanel accounts with legitimate credentials. Once inside with even minimal access, the escalation vulnerability then enables full server compromise. Phishing Campaigns Targeted phishing campaigns — emails designed to steal cPanel login credentials from hosting account holders — have been observed as a precursor to exploitation in numerous documented cases. The combination of social engineering to obtain credentials and technical exploitation to escalate privileges represents a particularly effective attack chain. Supply Chain Targeting Some of the more sophisticated exploitation campaigns have targeted hosting companies directly rather than individual website owners — seeking to compromise the cPanel infrastructure of providers in order to gain simultaneous access to the thousands of customer websites hosted on their servers. A successful attack against a hosting provider's cPanel infrastructure is, from an attacker's perspective, vastly more efficient than attacking individual sites one by one. Why the Patch Hasn't Solved the Problem A natural question arises: if a patch is available, why are thousands of websites still vulnerable months after its release? The answer reveals a fundamental challenge in web security that goes beyond this specific vulnerability. Patch Deployment Delays Many website owners and hosting administrators simply do not update their software promptly — or at all. cPanel updates require deliberate action, and the hosting environments of smaller websites in particular are frequently managed infrequently. A patch released months ago may still not have been applied to a hosting environment whose administrator logs in only occasionally to make content updates. Hosting Provider Inaction Shared hosting customers typically depend on their hosting provider to manage cPanel updates at the server level. Providers who have not prioritised applying the patch have left their entire customer base exposed — without those customers being aware of the risk or having any direct ability to address it. Complexity of Update Processes In some hosting environments, applying the cPanel update requires coordination across multiple systems and careful testing to ensure that the patch does not break existing functionality. For hosting providers managing large, complex server estates, this coordination takes time — during which every server awaiting the patch remains exposed. Legacy Installations Some cPanel installations are running versions of the software so old that they are no longer receiving security updates at all — meaning that for these installations, there is no patch available and migration to a supported version is the only solution. What You Need to Do Right Now If you own or manage a website running on a cPanel-based hosting environment — which includes the vast majority of shared hosting accounts — the following steps are not optional. They are urgent. Step 1: Check Your cPanel Version Log into your cPanel account and check the version number displayed in the top right corner of the interface. Compare this against the latest patched version listed on cPanel's official security advisories page. If you are running a version older than the patched release, you are vulnerable. Step 2: Update Immediately If you manage your own server or VPS, update cPanel immediately through the update manager. If you are on shared hosting, contact your hosting provider and ask specifically whether their cPanel installations have been patched against this vulnerability. Do not accept vague assurances — ask for confirmation of the specific version they are running. Step 3: Change All Credentials Regardless of whether you believe you have been compromised, change your cPanel password, all email account passwords, all database passwords, and all FTP credentials associated with your hosting account. Use strong, unique passwords for each and enable two-factor authentication on your cPanel account if your hosting provider supports it. Step 4: Audit Your Files and Databases Check your website files for unexpected additions or modifications — particularly in directories that should not change frequently, such as your root directory, wp-includes (for WordPress sites), and configuration file directories. Look for unfamiliar PHP files, particularly those with names designed to blend in with legitimate files. Step 5: Review Access Logs Your cPanel account provides access to server access logs that record every connection to your hosting environment. Review these logs for unusual access patterns — login attempts from unfamiliar IP addresses, access at unusual hours, or connections that preceded unexpected file changes. Step 6: Consider a Web Application Firewall If you do not already have a web application firewall (WAF) in place, this vulnerability is a compelling reason to implement one. Services including Cloudflare, Sucuri, and Wordfence (for WordPress) provide WAF protection that can identify and block exploitation attempts even against vulnerable software. The Bigger Picture: Web Hosting Security in 2026 The cPanel vulnerability story is a microcosm of a much larger challenge in web security — the enormous gap between the pace at which vulnerabilities are discovered and exploited, and the pace at which organisations and individuals apply the patches that protect them. In 2026, the threat landscape for web infrastructure is more aggressive than at any previous point. The proliferation of automated scanning tools, the commoditisation of exploitation frameworks, and the financial incentives driving criminal exploitation of web vulnerabilities all mean that the window between vulnerability disclosure and active exploitation has shrunk dramatically — from weeks or months to days or even hours in the most severe cases. For website owners, the lesson is clear: software updates are not optional maintenance. They are a fundamental security requirement. A website running unpatched software is not a website waiting to be hacked — it is a website that has already been targeted and is simply waiting to be successfully compromised. For the latest cybersecurity news, technology protection guides, and digital safety advice, follow digital8hub.com — where we keep you informed and protected in the digital world.