Critical cPanel Bug Actively Exploited Across 70M+ Websites; Patch Available
A critical vulnerability in cPanel — the web hosting control panel software running on millions of websites worldwide — is being actively exploited in the wild, security researchers warned Thursday. The bug, tracked as CVE-2026-31844, allows authenticated attackers to escalate to root privileges through a flaw in the panel's email-routing component. cPanel issued an emergency patch but exploitation appears to have begun before disclosure.
The bug affects cPanel versions 11.96 through 11.124 — essentially every supported release in active use. cPanel's installed base is estimated at 70+ million websites globally, including significant chunks of GoDaddy, Bluehost, HostGator, A2 Hosting, and DreamHost shared-hosting infrastructure. Web hosting providers have been pushing the patch through the night.
The vulnerability specifics
The bug is in cPanel's email-routing handler, specifically in how the panel processes mail routing rules submitted through the API. A logic error allows an authenticated user (any cPanel account, not just admin) to inject shell commands that execute as the cPanel system user — which on most installations has root or near-root privileges.
The exploit chain:
1. Attacker creates or compromises any cPanel account on the target server.
2. Attacker submits a crafted mail routing rule via the cPanel API.
3. cPanel parses the rule and triggers shell execution as the system user.
4. Attacker gains root-level access to the entire server, affecting every account hosted on that server.
The most concerning aspect is the lateral movement: a single compromised cPanel account on a shared hosting server allows the attacker to compromise every other site on that server. Shared hosting environments are particularly exposed.
Active exploitation patterns
Security researchers at Sucuri, Wordfence, and Cloudflare have identified several active exploitation campaigns:
Cryptocurrency mining deployment. The most common payload — drop a Monero miner onto compromised servers, leave the rest of the site mostly functional to avoid detection. Low-value but high-volume.
Web shell deployment for resale. Attackers compromise servers and sell access on dark-web marketplaces. Servers on premium hosts (DigitalOcean, AWS Lightsail) command higher prices than basic shared hosting.
SEO spam injection. Inject backlinks or spam content into legitimate WordPress sites running on the compromised server. The host server's reputation is leveraged to boost spam-target rankings.
Notably, no major ransomware deployment has been observed yet — but security researchers say it's likely a matter of days, not weeks.
What hosting providers and site owners should do
Three immediate actions:
Apply the patch. cPanel released version 11.124.0.5 with the fix. Most managed hosts have already pushed it; self-hosted cPanel installations need manual update.
Audit for compromise. Check `/var/log/cpanel/access_log` for unusual API calls to mail routing endpoints. Check for new files in `/tmp` or unexpected processes running as the cPanel system user.
Rotate credentials. If compromise is suspected, rotate all passwords, API keys, and database credentials. Compromised servers should be considered fully compromised — partial cleanup rarely works for this class of vulnerability.
My Take
This is one of those vulnerabilities that affects an enormous installed base but probably won't make front-page news because no major brand will be the headline victim. The real impact is the millions of small business and personal sites running on shared hosting that get silently compromised — most of which won't even know they were affected. cPanel's response has been reasonably fast (patch within 36 hours of disclosure) and major hosting providers are pushing updates aggressively. The lingering risk is the long tail of self-hosted and managed-by-small-shops cPanel installations that won't get patched for weeks. If you run a cPanel-hosted site and haven't confirmed the patch, do it today. If you operate a hosting business, this is a fire-drill week. The broader observation: shared hosting is structurally vulnerable to this kind of "compromise one account, compromise the server" cascade. The economics of shared hosting probably need to change to make root-level isolation actually enforced, not just nominally configured.
FAQ
Is my WordPress site affected? Only indirectly — the cPanel vulnerability affects the hosting layer beneath WordPress, not WordPress itself. If your host has patched cPanel, your site is no longer at risk from this specific bug.
How do I know if my site was compromised? Check for unusual files, processes, or outbound network connections. Many hosts provide this audit automatically; if not, ask your hosting provider for a security audit.
Should I switch hosts? Not because of this bug specifically — every major host had the same vulnerability. Switch hosts only if your current provider is slow to patch or unresponsive on the issue.
The Bottom Line
Critical cPanel vulnerability (CVE-2026-31844) affecting 70+ million websites is being actively exploited. Patch is available; major hosts are pushing it. Audit for compromise if you run cPanel-hosted sites. Long tail of unpatched installations will continue being exploited for weeks.