cPanel Bug Exposes Millions of Websites to Takeover
A critical cPanel vulnerability is under active exploitation, exposing millions of websites to potential takeover, according to Malwarebytes Blog. This flaw presents a significant risk, allowing attackers to gain unauthorized control over web hosting environments. The widespread adoption of cPanel means a successful exploit can have a cascading effect, compromising numerous hosted sites.
Beyond the cPanel issue, Malwarebytes Blog also highlighted an increase in PayPal email hijacking for tech support scams and the theft of hundreds of thousands of Roblox accounts. These incidents underscore the persistent threat of social engineering and credential compromise, targeting both individuals and small businesses. Separately, a Chinese engineer was reportedly stealing US military and NASA software for years, pointing to long-term espionage campaigns.
For defenders, the cPanel bug is a priority. While the specific CVE wasnโt detailed by Malwarebytes Blog, the active exploitation status demands immediate attention. Small businesses, often relying on cPanel for ease of management, are particularly vulnerable and must ensure their instances are patched and secured against known exploits. The diverse range of threats, from technical vulnerabilities to sophisticated scams and state-sponsored espionage, reinforces the need for layered security and continuous vigilance.
What This Means For You
- If your organization uses cPanel, you need to immediately verify that all instances are patched against actively exploited vulnerabilities. Audit your web server logs for any suspicious activity or unauthorized access. For any user-facing services, especially those involving financial transactions or sensitive data, enforce MFA and educate users on phishing and tech support scams.
Related ATT&CK Techniques
๐ก๏ธ Detection Rules
3 rules ยท 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free โ export to any SIEM format via the Intel Bot.
cPanel Web Shell Upload via Vulnerable Endpoint
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Malwarebytes-Advisory-2026-05 | Auth Bypass | cPanel bug actively exploited |
| Malwarebytes-Advisory-2026-05 | Phishing | PayPal emails hijacked to deliver tech support scams |
| Malwarebytes-Advisory-2026-05 | Account Takeover | Roblox accounts stolen |
| Malwarebytes-Advisory-2026-05 | Information Disclosure | Microsoft PhantomRPC (feature or bug) |
| Malwarebytes-Advisory-2026-05 | Fake CAPTCHA scam |
Written by SCW Vulnerability Desk
Related coverage on
Instructure Data Breach: Student Data Stolen, Services Disrupted
Edtech firm Instructure, known for its Canvas learning management system, has disclosed a data breach following threats of a leak from hackers. SecurityWeek reports that...
Global Law Enforcement Cracks Down on Crypto Scam Centers, Arrests 276
A significant international law enforcement operation has dismantled nine cryptocurrency investment fraud centers, leading to 276 arrests. The Hacker News reports that this crackdown, spearheaded...
Instructure Confirms Data Breach as ShinyHunters Claims Attack
Instructure, a major educational technology provider, has confirmed a data breach following claims from the ShinyHunters extortion group. BleepingComputer reports that the attack led to...