Project Zebra: Parting is all we know of heaven, And all we need of hell ►
THIS IS THE LATEST ENTRY
I wrote/collected most of this days ago. In a nutshell, some customers of HostingUK were caught by the cPanel / WebHost Manager (WHM) / WordPress Squared (WP2) authentication bypass vulnerability before things were disabled or patched. It gave script kiddies the chance to wipe this site out, but more importantly gain access to software infrastructure. Indications seem to be that WebPros, who own the company that produces cPanel and that related software, knew about the vulnerability weeks before it issued patches, with apparent exploitation seen since before that. The most concerning part is it's reported to affect all versions of cPanel from 11.40 onwards, and whilst not many articles seem to mention it, that was released in 2013. This article briefly covers the specific ransomware involved and points to tens of thousands of cPanel instances being verified compromised at the point it was written: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ I don't envy anyone who's been dealing with fallout end of last week and over the bank holiday weekend, which will be a lot of people since the product is reportedly used by tens of millions of domains and users. Hosts that didn't pull the plug quickly will have had more customers with sites wiped out, data stolen, used for crypto mining and spam, etc. https://status.hostinguk.net/incidents/291 https://nvd.nist.gov/vuln/detail/CVE-2026-41940 https://hostinguk.net/blog/important-cpanel-whm-security-update-what-hosting-uk-customers-need-to-know/ It's gotten a fair amount of industry coverage so I'd assume due to the scale and the vulnerability granting full control of servers it'll filter into mainstream outlets. Link dump: https://en.wikipedia.org/wiki/CPanel (what we're talking about) https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026 https://www.theregister.com/2026/04/30/cpanel_whn_cves/ https://www.theregister.com/2026/05/01/critical_cpanel_vuln_hits_cisa/ https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/ https://www.securityweek.com/critical-cpanel-whm-vulnerability-exploited-as-zero-day-for-months/ https://digital.nhs.uk/cyber-alerts/2026/cc-4774 https://www.reddit.com/r/cpanel/comments/1syyajp/massive_cpanel_0day_auth_bypass_hits_web_hosting/ https://www.reddit.com/r/cybersecurity/comments/1t081ma/hackers_are_actively_exploiting_a_bug_in_cpanel/ https://www.reddit.com/r/sysadmin/comments/1t0l3xr/cve202641940_cpanelwhm_cvss_98_auth_bypass_was_a/ https://lowendtalk.com/discussion/216724/critical-vulnerability-with-cpanel-whm-login-authentication https://www.cybersecuritydive.com/news/critical-vulnerability-cpanel-widespread-exploitation/819208/ As usual, Reddit tends to be somewhere news filters to first, but now that it's been a while trackers such as non-profit Shadowserver (which has received funding from the UK Foreign, Commonwealth & Development Office and the European Commission) have been continuing to see exposed instances upwards of 500K. It'll come as no surprise that WebPros boasts about being "powered by AI" so part of this could well turn out to be more vibe coding of security flaws by idiots. The walk through of the vulnerability linked from El Reg by Watchtowr based on comparing the patched version with the previous doesn't seem 100% conclusive but it's the sort of basic but fatal error that real people are equally prone to with sanitisation of user input, combined with flawed authentication code that could well be slop if that part was written recently. And it's not just a case of disabling obvious access points, apparently. from the other article. https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ https://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/ It could also have been deliberately introduced. It's the sort of weakness that nation-state actors want, work towards covertly introducing and hoard. Within the last few days NCSC has recently cautioned that 'AI' enhanced detection of vulnerabilities is improving rapidly, whether the vulnerabilities being found were introduced by accident or on purpose. But automated testing of user input routines and similar isn't new, there's just more of an arms race now. NCSC, following guidance in 2018 that attempted to emphasise to service providers that asking people to change passwords regularly does more harm than good and layered security measures are to be preferred, has also now put its support behind passkeys. https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave https://www.ncsc.gov.uk/blog-post/trust-the-tech-using-password-managers-passkeys-to-help-you-stay-secure-online My main concern is that HostingUK don't seem to have reached out to customers to say: things are patched, change passwords now, and we'll work on improving the security position by e.g. enabling 2FA features (one-time authenticator app codes) that have been available since 2016. The info is all in places people will only see it if they look. Currently weighing up whether it'd be sensible to find another provider, uncouple email services from a site, or some other approach. I have other mitigations in place, but 2FA is less a gold standard and more a basic expectation these days. Have had conversations with HostingUK support people about this, and I think we're all on the same page, it's just not practical right now with their infrastructure and customer base to enable it in WHM and therefore cPanel instances. There's no paid option to do so unless going for a dedicated server environment. So it's not even a case of they have some servers set up where they can locate tenants using 2FA and leave legacy accounts without it. I've amended the Trustpilot review that the support site encourages people to leave a few times, because I don't want to come off as unreasonably harsh. https://uk.trustpilot.com/reviews/69f5d976adc3e82bfac50f7c Some issues with critical cPanel vulnerability (April 2026) At the original time of writing HostingUK was still in the middle of dealing with the April/May 2026 CVE-2026-41940 authentication bypass 0-day affecting cPanel/WHM, hadn't directly contacted customers where sites and email accounts were compromised, which it still hasn't, and was apparently not letting support staff answer questions about whether it was safe to change passwords and continue using key services like email that are a high risk for identity and financial fraud, from the first reply I received. Personally I had to discover what had happened due to missing website images, and it wasn't clear if the missing files were encrypted by ransomware (README.md files were left) and then removed by HostingUK or by attackers. But it's an inconsequential site, whereas email and things connected to that obviously aren't unimportant for anyone. Also, it may not have mattered due to the specific vulnerability but although their support site uses 2FA, HostingUK cPanel/webmail don't appear to support it currently and it isn't a default, which in this day and age it should be. I appreciate that in order to enable it for the environment it would be implemented for other customers, but it's still important to have modern security features and getting to a position where it can be enabled in WHM would give customers confidence to be able to use webmail, whereas without 2FA it isn't safe to use from environments that can't be completely trusted, e.g. someone else's computer or hotel wifi or in a browser that could have an extension installed that becomes compromised. HostingUK is also in the process of migrating customer domains to Easyspace, under the Iomart group they're both part of, forcing a 60-day lock on transfers that will limit the ability of customers to migrate out. It might still be possible to point domains at another email provider that does implement 2FA, for example, but when you know that a hosting account has been breached is not the best time to be working out options. It's all extremely messy and for a largish provider they seemed a bit unprepared when things really hit the fan with a global incident, needing to call staff in over a bank holiday weekend because customers were affected before mitigations could be made, etc. Most customers are unlikely to be aware of or understand the extent of the cPanel compromise, but assuming a reasonable worst-case scenario any data stored will have been taken, all credentials can no longer be relied on, all linked third-party sites/services that don't have their own MFA arrangements are vulnerable, and there's scope for impersonation from genuine accounts. It's a really nasty vulnerability rated 9.8 out of 10 in CVSS terms and "critical" by global security authorities. I should add that even if things seem fine on your website, with this host or another, reports are that the cPanel vulnerability existed long before it and related software were patched so the exposure to sites having data stolen and back doors introduced is massive, and obviously this affects many more hosts internationally and millions of people and domains. HostingUK technical support staff are generally great, never any problem with them, and I've been with the company since they acquired UnitedHosting/PlugSocket, my concern is that management haven't been communicating with customers directly, and may have delayed disabling sites/services as would have been appropriate with an exploit becoming known to be in the wild that grants full access to and control of servers. With full authentication bypasses like that, the only immediate measure that can be taken is to turn things off until patches are available and applied, and unfortunately that didn't happen. The situation with 2FA not being an option is something I hope will be looked at further, because like TLS it's a normal base level of security now and relying on just passwords is risky. Edit 7th May: I'm not sure what's changed, but the 2FA feature has been made available, which uses OTP codes from a standard authenticator app. Hopefully that gives a route for other customers to also use it and keep themselves better protected. In other respects, as I say, HostingUK technical support is very good. I appreciate it can be a difficult judgement call to switch things off during security incidents, or balance messaging to not scare people off, and I think management would be best advised to reach out to customers to say that things are patched, recommend changing passwords as a precaution in this instance because there's been a known serious vulnerability, and promote their security practices including offering 2FA on account interfaces.
💬 Comments are off, but you can use the mail form to contact or see the about page for social media links.