44,000 IPs Attack cPanel Flaw Exploited Within One Day

Under the hood, a significant change is emerging — 44,000 IPs Attack cPanel Flaw Exploited Within One Day, according to The Hacker News (@TheHackersNews) (this morning).

Source: https://x.com/TheHackersNews/status/2051232452707000577

The speed at which attackers weaponize newly disclosed vulnerabilities has always been a concern, but the timeline around the latest cPanel flaw is raising alarms inside security teams. Internal documents circulating among hosting providers show that CVE-2026-41940, a critical remote code execution vulnerability in the widely used cPanel web hosting control panel, was actively exploited in the wild within 24 hours of its public disclosure. Security researchers flagged the issue as soon as proof-of-concept code emerged, but the breach window was already closing. According to data shared by The Hacker News (@TheHackersNews), threat actors rapidly scaled their operations, with over 44,000 distinct IP addresses linked to scanning and brute-force activity targeting vulnerable cPanel instances across the internet.

Engineers close to the project say the rollout of patches has been anything but smooth. Although cPanel’s development team issued a hotfix shortly after the vulnerability was published, many hosting providers running shared or managed environments have struggled to apply updates without breaking customer configurations. The exploit itself allows an unauthenticated attacker to execute arbitrary code on the server, which in practice means a compromised cPanel installation can lead to full control of the underlying operating system. Hosting companies that delayed patching—whether for compatibility testing or scheduled maintenance windows—are now racing to lock down exposed endpoints as the scanning infrastructure continues to expand.

The real impact extends beyond individual server compromises. Industry analysts tracking the IPs involved note that many originate from cloud hosting providers known for lax abuse enforcement, suggesting a coordinated, possibly automated campaign. For businesses relying on cPanel-based hosting, the window for proactive defense has all but closed; the attack surface is now measured in how quickly remaining unpatched systems can be isolated. What happens next depends on whether the patching gap can be closed faster than the attackers can pivot from scanning to deployment. Security teams are advising customers to audit access logs immediately and consider temporary IP blocklists based on known scanner fingerprints, even if those lists are imperfect. The broader lesson, already clear to anyone watching the timeline, is that 24-hour exploitation windows are no longer hypothetical—they are the baseline.

Source: https://x.com/TheHackersNews/status/2051232452707000577