
KnownHost
Web hosting provider whose telemetry dated cPanel exploitation to 23 February 2026, confirming the 65-day zero-day.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Did KnownHost report the cPanel exploitation to WebPros in February, or was the data only shared retrospectively?
Timeline for KnownHost
Provided telemetry confirming active exploitation from 23 February
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware activeHow did KnownHost know about the cPanel zero-day so early?
What is KnownHost?
What is the cPanel zero-day CVE-2026-41940 and was KnownHost affected?
Background
KnownHost is a US web-hosting provider whose server telemetry provided the earliest confirmed date of exploitation for CVE-2026-41940 in cPanel & WHM. KnownHost data established that active exploitation of the CRLF injection vulnerability in cPanel's login daemon began on 23 February 2026 — a full 65 days before WebPros shipped the emergency patch on 28 April. This makes the vulnerability a true zero-day for its entire exploitation window, not merely an n-day.
KnownHost operates managed hosting, VPS, and dedicated server products, primarily on the US market. Its significance in this incident is forensic rather than as a victim of record: the company shared exploitation data that established the timeline used by security researchers, CISA, and WebPros in post-incident analysis.
The KnownHost telemetry finding highlights the gap between when hosting providers first observe exploitation and when vulnerability disclosure reaches the public record. KnownHost's February telemetry indicates the attack was not an opportunistic scan after CVE publication but either an internally discovered vulnerability or a product of closed-circle threat-actor knowledge.