A critical vulnerability in cPanel and WebHost Manager (WHM) has been tied to a sharp rise in malicious hosting activity, with internet intelligence firm Censys reporting that compromised servers are appearing in at least two apparent attack paths.
The flaw, tracked as CVE-2026-41940 with a Critical CVE base score of 9.8, affects the sign-in process in cPanel and WHM. Both are widely used tools to handle servers, domains, databases, and reseller environments. According to cPanel’s security advisory, fixed versions are available, and administrators should update supported installations.
Censys said the number of hosts classified as malicious rose sharply on May 1, with cPanel and WHM systems accounting for nearly 80% of the net new increase. As of May 1, the firm observed 15,448 cPanel or WHM hosts among 106,514 GreyNoise-classified hosts that day, a major change from the low hundreds seen earlier in the week.
Gene Moody, Field CTO at Action1, said the case shows how fast exposed systems can be turned into operational infrastructure. “A critical flaw moved from disclosure to active, large-scale compromise in a matter of hours. That gap is the problem,” he told Expert Insights.
Ransomware Indicators Include 7,135 cPanel Or WHM Hosts
The activity was not limited to scanning. Censys reported that one campaign appears to deploy Mirai variants after compromise, while another shows signs consistent with ransomware, including exposed open directories where files were renamed with a “.sorry” extension.
Censys found 8,859 internet hosts exposing filenames ending in “.sorry,” including 7,135 identified as running cPanel or WHM. The recurring filenames included typical website files such as index.html, index.php, and WordPress configuration files.
The vulnerability has also been added to CISA’s KEV catalog, which confirms evidence of active exploitation. Technical analysis from watchTowr Labs described the issue as a Carriage Return Line Feed (CRLF) injection that can affect server-side session processing.
The available data indicates broad exploitation against hosting control planes, rather than isolated website compromise. Censys cautioned that the event is still developing, and current scan evidence does not prove every affected host was compromised through the same route.
