Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
KnownHost
OrganisationUS

KnownHost

Web hosting provider whose telemetry dated cPanel exploitation to 23 February 2026, confirming the 65-day zero-day.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

Did KnownHost report the cPanel exploitation to WebPros in February, or was the data only shared retrospectively?

Timeline for KnownHost

#330 Apr

Provided telemetry confirming active exploitation from 23 February

Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
How did KnownHost know about the cPanel zero-day so early?
KnownHost's server telemetry logged exploitation attempts against cPanel's login daemon from 23 February 2026, 65 days before WebPros released a patch. The company shared this data as part of the post-incident analysis.Source: KnownHost
What is KnownHost?
KnownHost is a US-based web-hosting provider offering managed VPS, dedicated servers, and shared hosting. It gained attention in May 2026 when its server telemetry established that CVE-2026-41940 had been exploited since February.
What is the cPanel zero-day CVE-2026-41940 and was KnownHost affected?
CVE-2026-41940 is a CRLF injection vulnerability in cPanel's login daemon that allowed unauthenticated session hijacking to root. KnownHost's telemetry confirmed exploitation began on 23 February 2026, 65 days before WebPros patched it on 28 April. KnownHost's role was forensic rather than as a named victim.Source: KnownHost / Rapid7
Why did cPanel providers share exploitation telemetry with researchers?
Hosting providers like KnownHost shared server telemetry to establish the accurate exploitation timeline for CVE-2026-41940. The data showed attacks predated public CVE disclosure by 65 days, confirming a true zero-day window and informing CISA's decision to add the vulnerability to KEV on 30 April 2026.Source: CISA

Background

KnownHost is a US web-hosting provider whose server telemetry provided the earliest confirmed date of exploitation for CVE-2026-41940 in cPanel & WHM. KnownHost data established that active exploitation of the CRLF injection vulnerability in cPanel's login daemon began on 23 February 2026 — a full 65 days before WebPros shipped the emergency patch on 28 April. This makes the vulnerability a true zero-day for its entire exploitation window, not merely an n-day.

KnownHost operates managed hosting, VPS, and dedicated server products, primarily on the US market. Its significance in this incident is forensic rather than as a victim of record: the company shared exploitation data that established the timeline used by security researchers, CISA, and WebPros in post-incident analysis.

The KnownHost telemetry finding highlights the gap between when hosting providers first observe exploitation and when vulnerability disclosure reaches the public record. KnownHost's February telemetry indicates the attack was not an opportunistic scan after CVE publication but either an internally discovered vulnerability or a product of closed-circle threat-actor knowledge.

Source Material
KnownHost — web hosting provider