On April 29, CVE-2026-41940 was disclosed: a critical pre-authentication bypass in cPanel/WHM that lets remote attackers skip the login flow entirely and gain elevated access. Within 24 hours, it was already being weaponized. Censys watched the fallout in real time.
The 6-day timeline (cPanel hosts flagged malicious):
Apr 26: 117
Apr 27: 47
Apr 28: 106
Apr 29: 70
Apr 30: 146
May 1: 15,448
On May 1 alone, total malicious hosts jumped by +19,131, and 15,302 of those (roughly 80%) were cPanel/WHM systems. Compare that to the prior days where cPanel made up well under 1.2% of daily changes. This was not background noise. It was a coordinated spike.
Top affected providers:
DigitalOcean: 1,043
Contabo: 716
OVH: 501
Vultr: 391
Oracle: 321
Unified Layer: 280
Hetzner: 277
Akamai/Linode: 275
GoDaddy: 209
Microsoft: 169
With 1,052,657 cPanel/WHM hosts exposed on the public internet and only 9,595 currently flagged as malicious, the attack surface is enormous and growing. At least two campaigns are running in parallel: a Mirai botnet variant (nuclear.x86) deployed post-compromise, and a ransomware campaign tied to the Sorry/Hidden-Tear family.
Ransomware footprint:
~7,000 cPanel servers with ".sorry" encrypted files
6,465 hosts: index.html.sorry
1,637 hosts: index.php.sorry
795 hosts: wp-config.php.sorry
Victims directed to attackers via qTox
If you run cPanel/WHM, patch immediately.
