The cPanel Incident Exposed a Gap Most Businesses Don’t Know They Have

In late April 2026, attackers exploited a near-perfect severity vulnerability in cPanel, the control panel software running beneath an estimated 70 million websites, and walked into unpatched servers without a password, using a flaw that had been actively exploited since February, two full months before a patch existed. No phishing, no social engineering. The businesses hit hardest weren’t just unlucky: many were running older, unsupported versions of cPanel that the emergency fix never even applied to. For them, the migration they’d been deferring became the most expensive decision they never made.

The Story Behind the Story

Most of the coverage landed on “patch immediately.” That’s fair advice, but it skips the part that matters more for most businesses.

What cPanel’s own guidance said about older, unsupported versions: they won’t be getting a patch. Not today, not as part of any future release cycle.

Old systems don’t announce themselves as a liability. They just quietly age out of support with no alarm, no warning label, no flashing red light. One year they’re current, and a few years later the vendor has moved on, the security patches have stopped, and a business is running on a cloud environment that looks fine from the outside but has no protection underneath.

If you were on a legacy version of cPanel that had already aged out of support, the emergency update that protected everyone else simply didn’t apply. There was no fix coming. The only path forward was a migration to a supported platform. The same migration that had been sitting on the list for months, or years, because it felt expensive, risky, and not urgent enough to prioritize.

That deferred migration didn’t save money: it turned into the emergency.

Why Businesses End Up Here

Businesses running on old systems aren’t careless, they’re busy. They inherited a setup that was working fine when they took it over. They got a solid deal on hosting years ago and never had a reason to move. The servers are humming, the site is loading, nobody’s complaining.

That’s how a cloud environment gets old, it’s not through negligence, but through momentum.

And here’s what makes that uncomfortable: attackers know exactly how this works. They actively scan for servers running outdated, unprotected software versions because they know those servers won’t have the patches. The gap between “old” and “exposed” is smaller than most people realize, and it closes faster than anyone expects.

When the cPanel vulnerability hit, it wasn’t random who got hurt was entirely predictable.

What This Actually Costs

Nobody woke up the morning of April 28th and thought, “Today feels like a good day to get breached.” Nobody budgeted for emergency remediation, forensic investigation, customer notification, potential regulatory exposure, reputational damage, or weeks of cleanup work. But that’s what landed on some desks.

IBM puts the average cost of a data breach at over $4 million. Even a fraction of that, a few days of downtime, an emergency call to a security firm, notifying affected customers, can gut a small or mid-sized business in practice, not just in theory.

And the cruel irony for businesses running older, unsupported systems is that the migration they’d been deferring because it cost too much suddenly looked like the cheapest option on the table.

Where to Start

The cPanel incident isn’t a reason to panic so much as a reason to get honest about where things stand.

Three questions worth getting real answers to:

• Do you know what version of cPanel, or any core software in your stack, your site is running on?
• Is it a supported version that still receives security updates?
• When did someone last take a hard look at your environment?

If the answers aren’t clear, you’re not alone. Most business owners don’t know. It’s a gap that’s straightforward to close once you decide to look at it.

What Nexcess Customers Experienced

When the cPanel vulnerability hit, customers on current, supported Nexcess cloud environments were protected, and not because of luck. Keeping cloud environments current and patched is what we’re here to do. Managed hosting exists precisely so you don’t have to monitor CVE databases or respond to emergency bulletins at 2am.

But this incident also made something visible that’s easy to overlook, which is that a lot of businesses are running on cloud environments older than they realize. Platforms aging out of support with decisions made based on costs that are visible rather than costs that aren’t.

If any part of this made you think “I should probably look into this,” that instinct is worth following.

Ask whoever manages your hosting a simple question: “Are we on a current, supported version? When were we last patched?”

If the answer is unclear, let’s talk. Not to push you toward anything, but because you deserve to know exactly where you stand. That conversation costs nothing. The alternative can cost quite a lot more.

This is the first piece in our Price of Old series. Part 2: The Upgrade Looks Expensive Until You Price the Alternative. Part 3: The cPanel Incident Was the Validation You Couldn’t Get Internally. Part 4: Your Cloud Environment Should Be the Last Thing on Your Mind.