cPanel Infrastructure Crisis: Zero-Day Cascade Exposes 70 Million Domains
Four emergency patches in 23 days reveal shared hosting's systemic vulnerability as AI-assisted exploit discovery outpaces defence cycles.
A CVSS 10.0 zero-day in LiteSpeed’s cPanel plugin is under active exploitation for root-level server takeover, marking the third emergency security release in three weeks for cPanel—the control panel software managing over 70 million domains globally.
The vulnerability, tracked as CVE-2026-48172, affects LiteSpeed cPanel user-end plugin versions 2.3 through 2.4.4. Security researcher David Strydom reported the flaw on May 19, triggering an emergency patching cycle that saw LiteSpeed release fixes within hours and cPanel force-remove the vulnerable plugin from all managed servers by May 19—12 hours ahead of schedule.
The exploit requires only a valid cPanel user account—even a customer with basic website and email access. The flaw resides in the lsws.redisAble function, which can be abused to execute arbitrary scripts with root privileges. Gotekky characterised the threat model bluntly: “Any cPanel user account, including a customer with only a website and email, becomes a candidate for taking over the entire server.”
A 23-Day Cascade of Failures
What began on April 28, 2026 as the disclosure of a single critical authentication bypass has cascaded into the most severe sustained security incident cPanel has experienced, according to MyGlobalHost. cPanel’s development team has issued four separate Technical Security Releases in 23 days, addressing vulnerabilities ranging from CVSS 4.3 to 9.8.
The April 28 authentication bypass proved particularly damaging. Copahost reported at least 44,000 IP addresses running cPanel were compromised and deployed with ransomware—a campaign that had been running undetected since late February, roughly two months before the vulnerability was patched.
Shared Hosting’s Systemic Weakness
cPanel controls a dominant position in Web Hosting infrastructure. The software holds approximately 94% market share in the dedicated web hosting control panel category, per 6sense, with over 1.5 million internet-exposed instances identified via Shodan scanning. That concentration creates a systemic risk: a single vulnerability in cPanel or its plugin ecosystem can expose millions of websites simultaneously.
cPanel is a web hosting control panel that provides a graphical interface and automation tools for managing web servers. It sits as a software layer between the Linux operating system and hosted websites, making it a high-value target for attackers seeking to compromise multiple sites or pivot to full server control. The software is typically deployed on shared hosting platforms where dozens or hundreds of customer websites reside on a single physical server.
The LiteSpeed plugin vulnerability exemplifies this multiplier effect. Because the plugin runs with elevated privileges and is accessible to any tenant on a shared server, a single compromised account can cascade into full infrastructure takeover. The attack surface extends beyond traditional security perimeters—hosting providers can enforce network segmentation and firewall rules, but they cannot prevent a legitimate user from exploiting application-layer flaws in the control panel itself.
The AI-Assisted Vulnerability Spike
The cPanel crisis coincides with a broader acceleration in vulnerability discovery. Copahost noted that “the window between a vulnerability becoming known to attackers and being exploited in production is shrinking from weeks to days.”
This compression reflects two trends. First, AI-assisted security research is finding bugs faster than coordinated disclosure processes can handle them. Second, the same tools that help researchers discover flaws also help attackers weaponise them. The CVE-2026-41940 authentication bypass was exploited for two months before detection, suggesting attackers had either discovered it independently or obtained early knowledge through non-public channels.
“Following the initial report from security researcher David Strydom on May 19, 2026, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.”
— CyberSecurityNews
The May 2026 security cycle extended beyond cPanel itself. PHP released emergency patches on May 7 addressing a CVSS 9.5 remote code execution flaw plus SOAP extension vulnerabilities commonly enabled by default on cPanel shared hosting, per MonsterMegs. The PHP patches (versions 8.5.6, 8.4.21, 8.3.31, 8.2.31) arrived two weeks before the LiteSpeed zero-day disclosure, creating a stacked exposure window where hosting providers faced multiple urgent patch cycles simultaneously.
What to Watch
The forced removal of LiteSpeed’s plugin from cPanel servers mitigates immediate exploitation risk, but the broader pattern suggests structural problems. Hosting providers face mounting pressure to accelerate patch deployment cycles while managing customer disruption from emergency updates. The 23-day cascade from April 28 to May 19 likely represents a new baseline rather than an anomaly.
- Monitor for post-compromise indicators on shared hosting infrastructure deployed before May 19, particularly Redis-related configurations and Privilege Escalation attempts via cPanel user accounts.
- Track whether cPanel adopts architectural changes to reduce plugin attack surface—current design allows third-party code to run with elevated privileges by default.
- Watch for disclosure timelines on future cPanel vulnerabilities. If the gap between discovery and exploitation continues to compress, zero-day exploitation may become the default threat model rather than the exception.
- Evaluate exposure for organisations relying on managed hosting or reseller platforms where cPanel provides the primary administrative interface—privilege escalation via tenant accounts bypasses traditional perimeter security.