cPanel CVE-2026-41940 mass-exploited — 44,000 servers hit by 'Sorry' ransomware
An auth-bypass flaw in cPanel and WHM, exploited as a zero-day since February, has now been turned into a mass ransomware campaign. Shadowserver counts 44,000 compromised IPs.
CVE-2026-41940 is an authentication bypass in cPanel and WebHost Manager, caused by a Carriage Return Line Feed injection in the login and session-loading paths. CVSS 9.8. An unauthenticated remote attacker forges a whostmgrsession cookie carrying user=root, and from there owns the host, its configuration, every database it manages, and every website it serves. cPanel released the fix on 28 April 2026. CISA added it to the Known Exploited Vulnerabilities catalogue on 1 May. Shadowserver has now counted at least 44,000 compromised IPs running cPanel, with hundreds of victim sites already indexed in Google.
The exploit is not new. Help Net Security and Rapid7 both report active in-the-wild exploitation since February 2026, two months before the patch. There are around 1.5 million cPanel instances exposed on the standard control-panel ports — 2083, 2087, 2095 and 2096 — and the affected version range covers everything supported after cPanel 11.40, plus WP Squared.
The current campaign drops two payloads on compromised hosts. The first is nuclear.x86, a Mirai variant that recruits the box into a botnet. The second is the “Sorry” ransomware: a Go-based Linux encryptor that appends .sorry to every encrypted file and uses ChaCha20 with an embedded RSA-2048 public key, so decryption without the operator’s private key is not possible. There is no known free decryptor and no leak-site presence — this is encryption-only extortion against web hosts.
Three points worth pulling out.
Shared-hosting control panels are a forgotten asset class. cPanel is rarely on the CMDB, rarely in the EDR estate, and almost never owned by the security team. If your organisation runs any cPanel — directly, through a marketing-site agency, or through an acquired subsidiary that nobody has fully inventoried since the deal closed — that is your problem this week. The first organisations to fall in a campaign like this are the ones that did not know they had the asset at all.
The deeper failure is exposure, not patching. Control-panel ports do not need to be reachable from the open internet. Put them behind a bastion, a VPN, Cloudflare, anything. The 28 April patch is necessary; the network reachability is what made the zero-day window so cheap to exploit at scale.
And the disclosure-to-mass-exploitation window for this one was, in effect, zero. The exploit was live before the CVE existed. Defender response models that assume “patch within 14 days of advisory” do not survive contact with that timeline. The honest answer is that the controls protecting you between zero-day and patch are network-layer ones, and they need to be in place before the next CVE-2026-41940 is announced.