cPanel's CRLF Bug Gave Hackers Root on 70 Million Domains — For 2 Months Before Anyone Noticed

:police_car_light: cPanel’s CRLF Bug Gave Hackers Root on 70 Million Domains — For 2 Months Before Anyone Noticed

Someone left the front door wide open on 94% of the web hosting industry. And hackers walked in back in February.

CVE-2026-41940 — CVSS 9.8 — unauthenticated root access — 70 million+ domains — exploited since February 23 — patched April 28 — 44,000 attacking IPs confirmed — 7,135 servers already hit with ransomware.

Okay so you know how basically every cheap web host you’ve ever used has that same old cPanel login page? The blue one with the little orange logo? Yeah. Turns out that thing had a hole in it the size of a garage door. No password needed. No two-factor bypass needed. Just… walk right in as root. For two months. While nobody noticed. I mean.

cPanel Server Room


🧩 Dumb Mode Dictionary
Term What It Actually Means
cPanel The control panel (dashboard) that runs like 94% of all web hosting — it’s how you manage websites, emails, databases
CRLF Injection Sneaking invisible “new line” characters into a system to trick it into reading fake instructions
Root Access God mode. Full admin. You own the entire server and everything on it
Session File A little text file the server uses to remember “this person is logged in” — the hacker faked one
cpsrvd The one single program that runs ALL of cPanel’s security. One program. For everything. From the year 2000
CVSS 9.8 Severity score out of 10. This is basically “your house is already on fire”
PoC (Proof of Concept) A working demo exploit that shows exactly how to do the hack — once this goes public, everyone can do it
TSR “Targeted Security Release” — cPanel’s emergency patch when shit hits the fan
🕰️ How We Got Here — The Timeline

This wasn’t some zero-day that got caught fast. This was a slow-motion disaster:

  • Feb 23, 2026 — First exploitation detected (only found later in KnownHost server logs). Hackers are already inside.
  • Two full months — Attackers quietly roam servers. Nobody publishes anything. Nobody knows.
  • Apr 28, 2026 — WebPros (cPanel’s parent company) finally drops an emergency patch
  • Apr 29, 2026watchTowr Labs publishes technical breakdown. Same day, a public exploit tool called “cPanelSniper” goes live. Now EVERYONE can do it.
  • Apr 30, 2026Shadowserver Foundation confirms 44,000+ unique IPs actively scanning and attacking
  • May 1, 2026 — CISA (the US government’s cyber agency) adds it to their Known Exploited Vulnerabilities list
  • May 8, 2026 — cPanel drops a SECOND emergency patch for three MORE vulnerabilities found during the chaos
🔓 How the Hack Actually Works — Embarrassingly Simple

Here’s the thing that makes this so cooked. The attack is almost insultingly simple:

  1. cPanel uses one big program called cpsrvd (built in the early 2000s) to handle logins
  2. When you try to log in, cpsrvd writes a little session file to disk that says “this person is trying to authenticate”
  3. The bug: cpsrvd doesn’t clean invisible characters (carriage returns and line feeds) from the login request
  4. Attacker sends a login request with hidden lines injected that say: user=root, hasroot=1, tfa_verified=1
  5. cpsrvd reads the file back, sees those lines, and goes “oh cool, you’re root and you already passed two-factor, come on in”

That’s it. No password. No 2FA token. No social engineering. You just inject some invisible characters into a login attempt and the server thinks you’re God.

The vulnerable ports are 2083 (cPanel dashboard), 2087 (WHM admin), and 2095-2096 (webmail). Rapid7 estimates roughly 1.5 million cPanel instances are directly exposed to the internet right now.

📊 The Receipts — By the Numbers
Stat Number
Domains running on cPanel globally 70 million+
cPanel’s market share of hosting control panels 94%
Internet-facing cPanel instances (Rapid7) ~1.5 million
CVSS severity score 9.8 / 10
Days hackers were inside before patch ~64 days
Unique attacking IPs (Shadowserver, Apr 30) 44,000+
Servers confirmed hit with “.sorry” ransomware 7,135
Total hosts with ransomware artifacts (Censys) 8,859
Emergency patches released in 10 days 2
Additional CVEs found during investigation 3 (CVE-2026-29201, 29202, 29203)
💀 The .sorry Ransomware — Adding Insult to Injury

As if root access wasn’t enough, a ransomware gang jumped on this fast. They deployed a custom ransomware written in Go (the programming language) that:

  • Encrypted files on compromised servers
  • Renamed everything with a .sorry extension (classy, right?)
  • Censys found 8,859 hosts with open directories full of .sorry files
  • Of those, 7,135 were confirmed cPanel/WHM servers

So we went from “someone can read your files” to “someone encrypted all your files and is demanding payment” real quick. And the worst part? Many of these are shared hosting servers — meaning one compromised server could hold hundreds of different websites belonging to different people.

🗣️ What the Security Community Is Saying

The reaction has been… not kind to cPanel:

  • watchTowr Labs pointed out that cpsrvd is a monolithic (one giant program doing everything) daemon architecture from the early 2000s. One missed sanitization (cleaning) check across one code path = total compromise
  • Canada’s cybersecurity agency rated exploitation as “highly probable” before attacks were even confirmed
  • Rapid7 noted the public PoC exploit (cPanelSniper) “dramatically lowered the barrier to exploitation” — meaning even script kiddies could do it
  • The broader point security researchers are making: cPanel’s session-file-on-disk model requires perfect sanitization at EVERY write path. Miss one, and it’s over. With architecture this old, it was a matter of when, not if.

Major hosting providers affected include Namecheap, HostGator, and KnownHost — basically names you’ve definitely seen if you’ve ever bought cheap hosting.


Cool. So 94% of web hosting just got its locks changed. Now What the Hell Do We Do? (╯°□°)╯︵ ┻━┻

Server Hack

🕳️ The Patch-Gap Profiler

Right now there’s a window. The patch exists but tons of servers haven’t applied it yet. Not to exploit them (don’t be that person) — but to build a service that checks if a website’s hosting is vulnerable and sell that peace-of-mind to small business owners.

cPanel exposes ports 2083/2087. A simple scanner that checks the cPanel version header against the patched versions can tell any website owner “your host is still vulnerable” or “you’re good.” Package this as a one-click website health check. Small businesses will pay $5-15 to know their online store isn’t about to get ransomware’d.

:brain: Example: A 24-year-old sysadmin in Lagos, Nigeria builds a Telegram bot called “HostSafe” that checks any domain’s cPanel status. Shares it in three web hosting Facebook groups. 600 panicked shop owners pay $5 each within a week = $3,000.

:chart_increasing: Timeline: First sales in 3-4 days. Window closes in ~6 weeks as hosts finish patching. Pivot to general hosting security checks after.

🎣 The Migration Middleman

Every time there’s a massive hosting vulnerability, a percentage of site owners want to LEAVE their current host immediately. But migrating a website is annoying and technical. You don’t need to BE a hosting company — you just need to be the person who moves sites from compromised hosts to clean ones.

Learn cPanel-to-cPanel migration (there’s literally a built-in tool called “Transfer Tool”). Charge $50-100 per site migration. Target the small business owners freaking out in hosting forums and Reddit threads right now. You’re selling speed and trust during a panic.

:brain: Example: A 21-year-old freelancer in Bucharest, Romania posts in r/webhosting and three WHT (Web Hosting Talk) forums offering “emergency migration from compromised cPanel hosts — done in 24 hours.” Moves 40 sites in two weeks at $75 each = $3,000.

:chart_increasing: Timeline: First client in 2 days. Peak demand lasts 3-4 weeks after news breaks. Builds a client list for ongoing freelance hosting management.

📡 The Ransomware Recovery Scraper

7,135 servers got hit with .sorry ransomware. Many of those are shared hosting = hundreds of small site owners per server who now have encrypted files and no idea what happened. Most of them DON’T have backups (because their host was supposed to handle that).

Here’s the play: cPanel automatically creates account-level backups that are often stored in a DIFFERENT directory than the web files. If the ransomware only targeted web-accessible directories (common behavior), the cPanel backup files might still be intact. Build expertise in recovering from this specific ransomware and offer “we’ll check if your backup survived” as a service.

:brain: Example: A 26-year-old DevOps guy in Karachi, Pakistan writes a blog post titled “How to check if your cPanel backups survived .sorry ransomware” — it ranks on Google within days because nobody else has written this yet. Offers a $150 recovery service at the bottom. 20 desperate site owners find it in the first month = $3,000.

:chart_increasing: Timeline: First recovery client in 5-7 days. Content ranks for months. Establishes reputation as “the .sorry recovery guy” which feeds future security consulting.

🪟 The Hosting Audit Gold Rush

cPanel controls 94% of the control panel market. This hack just proved that market concentration is a massive risk. Every mid-size company with a managed hosting setup is now getting asked by their boss: “are WE vulnerable?”

Most internal IT teams don’t know how to audit their hosting stack. Build a simple “cPanel Security Audit” checklist — cover CVE-2026-41940 patch status, exposed ports, session file permissions, backup verification, and the three newer CVEs from May 8. Package it as a PDF report with your branding. Offer it to agencies and businesses for $200-500 per audit.

:brain: Example: A 28-year-old web developer in Medellín, Colombia emails 50 local digital agencies saying “I’ll audit your hosting setup against the cPanel breach for $300.” 8 agencies bite within two weeks = $2,400. Three of them ask for ongoing monthly monitoring = recurring revenue.

:chart_increasing: Timeline: First audit in 4-5 days. Demand spikes for 6-8 weeks. The recurring monitoring contracts are the real prize.

🎰 The Indicator-of-Compromise Toolkit

44,000 IPs were scanning for this vulnerability. Security teams at companies need to check if any of those IPs touched their servers. But cross-referencing your server logs against 44,000+ IPs manually is tedious.

Build a lightweight open-source script (bash or Python) that parses cPanel access logs and flags any connections from known attacker IPs (Shadowserver publishes these). Make the tool free on GitHub to build your name, then offer a “full investigation and report” service for companies that find matches. Free tool = marketing. Paid investigation = revenue.

:brain: Example: A 22-year-old infosec student in Manila, Philippines publishes “cpanel-ioc-checker” on GitHub. Gets 400 stars in a week because security teams are desperate. Three hosting companies contact them for paid investigations at $500 each = $1,500 + a GitHub portfolio that gets them hired.

:chart_increasing: Timeline: Tool live in 1-2 days. Paid gigs start within a week. The GitHub credibility is worth more than the cash long-term — it’s a resume piece that says “I showed up when the industry needed help.”

🛠️ Follow-Up Actions
Priority Action Link
:red_circle: Immediate Check if your cPanel version is patched (must be post-April 28 update) cPanel Security Advisories
:red_circle: Immediate Scan for .sorry file extensions on your server Run: find / -name "*.sorry" 2>/dev/null
:yellow_circle: Today Block ports 2083, 2087, 2095, 2096 from public internet (use firewall allowlisting) cPanel Firewall Guide
:yellow_circle: Today Check server logs for connections from Shadowserver’s IOC list Shadowserver Reports
:green_circle: This week Review and test your backup restoration process Your hosting provider’s backup panel
:green_circle: This week Consider non-cPanel alternatives: Ploi, RunCloud, CloudPanel Compare at each link

:high_voltage: Quick Hits

Want to… Do this
:magnifying_glass_tilted_left: Check if a host is vulnerable Probe port 2087, read the cPanel version header — anything pre-April 28 patch is exposed
:shield: Protect your own sites right now Restrict cPanel ports to your IP only via CSF/iptables firewall rules
:open_book: Understand the full technical exploit Read watchTowr’s breakdown of the CRLF injection chain
:counterclockwise_arrows_button: Move off cPanel entirely Try CloudPanel (free, open-source) or Ploi ($8/mo)
:newspaper: Follow ongoing developments Watch Panelica’s tracker — they’re covering every new CVE as it drops

94% market share and a session file from 2003. Bro, the entire shared hosting industry was held together with duct tape and nobody checked the tape for 64 days.

2 Likes