What started as a routine security update turned into a months-long hacking campaign targeting a critical flaw in cPanel, the widely used web hosting control panel. The bug, tracked as CVE-2026-3658, allows attackers to bypass authentication and gain full control over servers. Security researchers at Sucuri reported active exploitation in the wild as early as February 2026, yet many hosts remained unaware until last week.
The vulnerability affects all cPanel versions released before March 2026. Attackers exploited it to inject malicious code into websites, redirecting visitors to phishing pages or installing cryptocurrency miners. Hostinger, one of the largest web hosts, confirmed their systems were breached through this flaw in March, with hackers maintaining access for weeks before detection.
cPanel developers issued patches on April 15, 2026, but uptake has been slow. A cPanel spokesperson said over 30% of installations remain unpatched. The delay stems from hosts needing to schedule downtime for updates, especially on shared hosting servers where thousands of sites could be affected.
Experts warn the flaw’s simplicity makes it attractive for both cybercriminals and state-backed groups. ESET researcher Matthieu Faou noted that automated scanning tools now include exploits for CVE-2026-3658, increasing attack volume. Small businesses with limited IT resources are particularly vulnerable, as they often rely on hosts to apply updates.
Web hosting providers are now prioritizing emergency patches, but the damage may already be done. The Internet Crime Complaint Center (IC3) has received over 1,200 reports linked to this campaign, with losses exceeding $8 million in verified cases so far.
Source: techcrunch.com