cPanel CVE-2026-41940 Mass Exploited as “Sorry” Ransomware Hits Web Hosting Servers
A control panel bug has turned into a hosting-layer emergency.
CVE-2026-41940 is not just another web vulnerability waiting for routine patch cycles. It is a critical authentication bypass in cPanel & WHM that can hand attackers administrative access to hosting infrastructure, and it is now being used in mass “Sorry” ransomware attacks against exposed Linux servers.
The timing is brutal for defenders. cPanel published its emergency security update on April 28, 2026, the CVE was assigned on April 29, and by May 2, BleepingComputer reported widespread exploitation involving a Go-based Linux encryptor that appends the .sorry extension to encrypted files.
What happened
The vulnerability, tracked as CVE-2026-41940, affects cPanel software, including DNSOnly, across all versions after 11.40. cPanel said the issue is an authentication bypass and pushed patched builds across supported release tiers, including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. WP Squared was patched in version 136.1.7.
The operational impact is serious because WHM is the server-level administrative interface, while cPanel manages website backends, webmail, files, and databases. A successful bypass can move the attacker from an unauthenticated request to control of the management plane that sits above customer websites.
According to Rapid7’s analysis, CVE-2026-41940 carries a CVSS score of 9.8 and allows unauthenticated remote attackers to gain unauthorized administrative access. The flaw is rooted in the login and session-loading process, where CRLF injection can be abused to manipulate session handling and establish privileged access.
Ransomware followed the exploit window
BleepingComputer reported on May 2, 2026, that attackers had been exploiting the flaw since Thursday to breach servers and deploy a Go-based Linux encryptor tied to “Sorry” ransomware. The ransomware appends .sorry to encrypted files and drops a README.md ransom note in affected folders.
The campaign appears to be moving at internet scale. BleepingComputer cited Shadowserver reporting at least 44,000 compromised IP addresses running cPanel, while Censys separately observed thousands of cPanel or WHM hosts exposing files renamed with the .sorry extension.
Censys said it found 8,859 internet hosts exposing open directories where filenames ended in .sorry, with 7,135 of those identified as running cPanel or WHM. That does not prove every host was compromised through the same path, but the clustering around cPanel infrastructure is the signal defenders cannot ignore.
Why this stands out
This is the kind of vulnerability attackers prize because the exposed service is both internet-facing and high-leverage. Compromising a single WHM instance can put multiple websites, databases, mailboxes, backups, and customer environments within reach.
The ransomware behavior also shows how quickly a control-plane bug can become a business continuity event. Once files are encrypted across web roots, the damage is visible immediately: websites break, customer data may be exposed, backups become critical, and incident response starts under public pressure.
BleepingComputer reported that the Sorry encryptor uses ChaCha20 for file encryption, with the encryption key protected by an embedded RSA-2048 public key. That means recovery without clean backups or the attacker-controlled private key is unlikely.
Defender actions that matter now
Organizations running cPanel & WHM should treat this as both a patching task and a compromise assessment. Updating closes the door, but it does not prove nobody already walked through it.
cPanel’s required action is direct: run the forced update script, verify the installed build, and restart the cPanel service. Servers with disabled automatic updates or pinned update tiers may not auto-update and must be manually identified and remediated.
Where immediate patching is not possible, cPanel recommends temporary mitigation by blocking inbound traffic to ports 2083, 2087, 2095, and 2096, or stopping cpsrvd and cpdavd. Those are emergency controls, not substitutes for getting onto a fixed version.
Security teams should also review cPanel session artifacts, WHM access logs, web roots, cron jobs, SSH keys, newly created admin users, unexpected files, and signs of webshell or botnet deployment. Censys observed at least two active post-compromise patterns: one involving Mirai variants and another consistent with ransomware activity.
NeuraCyb's Assessment
CVE-2026-41940 is another reminder that hosting panels are not administrative conveniences; they are privileged orchestration layers. When they fail, attackers do not need to exploit each website one by one. They can compromise the platform that manages them.
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, 2026, with a required remediation date of May 3, 2026, for covered federal systems. That short window reflects the reality defenders are already seeing: exploitation moved from disclosure to mass abuse in days, not weeks.
For hosting providers, agencies, MSPs, and businesses running their own cPanel stacks, the priority is clear: patch, verify, investigate, and assume exposed vulnerable systems may already have been touched. In this campaign, the difference between “updated” and “confirmed clean” is the difference between maintenance and incident response.
References
BleepingComputer: Critical cPanel flaw mass-exploited in “Sorry” ransomware attacks
cPanel Security Advisory: CVE-2026-41940 cPanel & WHM / WP2 Security Update
