Skynethosting cPanel shutdown leaves customers without websites for two weeks

When a critical security vulnerability surfaces with a near-perfect severity score, hosting providers face a genuinely hard call. Patch fast and stay online, or take services offline and rebuild cleanly. Skynethosting chose the second path in early May 2026. What followed illustrates how quickly a defensible security decision can unravel without the operational infrastructure to back it up.

On May 1, the company pulled all cPanel-based services offline in response to CVE-2026-41940, a pre-authentication bypass vulnerability carrying a CVSS score of 9.8. The advisory, signed by the company’s Security and Infrastructure Team, framed the shutdown as a protective measure. Crucially, no advance notice reached customers before services disappeared.

By May 4, customers were posting on Web Hosting Talk after finding their entire reseller accounts unreachable, with no support available and no public explanation. By May 9, some of those customers had been offline for eleven days. One reseller reported losing roughly 30 percent of their own clients during that stretch. Another, who had used Skynethosting for eleven years, described the experience as one of the worst support failures they had encountered.

The communication breakdown compounded the technical problems considerably. The company pulled live chat from its website during the outage. Staff left tickets unanswered for more than a week. Recovery estimates of 24 to 72 hours appeared repeatedly in status updates and elapsed without resolution. Customers asking for basic data backups reported receiving no response at all.

Several servers, including Corp1 and USVIP2, carried the label “deeply affected,” with teams running forensic data recovery on both. Community observers described one server as potentially unrecoverable. As of May 14, the company still had not restored cPanel access across the fleet, and some servers remained in active recovery.

The contrast with the broader industry is stark. Other hosting operators applied the available patch within two to three hours of the April 28 advisory. Meanwhile, Skynethosting customers running on DirectAdmin-based servers experienced no disruption at all, since the incident touched only cPanel infrastructure.

Beyond the operational failures, unresolved questions around data access carry real regulatory weight. Customers operating under GDPR, Singapore’s PDPA, or Australian breach notification law face their own disclosure obligations depending on what ultimately happened to data sitting on those affected servers.

For the hosting industry broadly, this incident is a concrete case study in what inadequate incident response actually costs.