TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

SecurityWeek

Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Ionut Arghire · 2 days ago · Read original ↗

ATT&CK techniques detected

5 predictions
T1190Exploit Public-Facing Application
98%
“over 40, 000 servers compromised in ongoing cpanel exploitation more than 40, 000 servers have likely been compromised as attackers ramp up exploitation of a recently patched cpanel zero - day. as part of the ongoing campaign, non - profit organization the shadowserver foundation…”
T1190Exploit Public-Facing Application
73%
“11. 134. 0. 20, and 11. 136. 0. 5, and wp squared version 136. 1. 7 contain the fixes, cpanel ’ s updated advisory shows. the us cybersecurity agency cisa added cve - 2026 - 41940 to its known exploited vulnerabilities ( kev ) catalog on thursday, urging federal agencies to patch…”
T1190Exploit Public-Facing Application
50%
“last week, rapid7 warned that there were roughly 1. 5 million cpanel instances accessible from the internet, and on friday the shadowserver foundation was seeing tens of thousands of potentially compromised systems. “ 44k unique ip number is based on cpanel spike of devices seen …”
T1588.006Vulnerabilities
32%
“11. 134. 0. 20, and 11. 136. 0. 5, and wp squared version 136. 1. 7 contain the fixes, cpanel ’ s updated advisory shows. the us cybersecurity agency cisa added cve - 2026 - 41940 to its known exploited vulnerabilities ( kev ) catalog on thursday, urging federal agencies to patch…”
T1588.006Vulnerabilities
32%
“last week, rapid7 warned that there were roughly 1. 5 million cpanel instances accessible from the internet, and on friday the shadowserver foundation was seeing tens of thousands of potentially compromised systems. “ 44k unique ip number is based on cpanel spike of devices seen …”

Summary

The attacks likely target CVE-2026-41940, a recently patched zero-day leading to administrative access.

The post Over 40,000 Servers Compromised in Ongoing cPanel Exploitation appeared first on SecurityWeek.