Critical cPanel flaw exploited in mass ransomware attacks
▼ Summary
– A critical authentication bypass flaw (CVE-2026-41940) in cPanel and WHM is being mass-exploited to breach websites and deploy “Sorry” ransomware.
– At least 44,000 IP addresses running cPanel have been compromised in ongoing attacks, with exploitation attempts dating back to late February.
– The Sorry ransomware encrypts files using the ChaCha20 stream cipher with an RSA-2048 public key, making decryption impossible without the corresponding private key.
– The ransomware appends a “.sorry” extension to files and leaves a ransom note instructing victims to contact the attacker via Tox to negotiate payment.
– All cPanel and WHM users are urged to immediately install the emergency security update to protect against data theft and ransomware attacks.
A critical security vulnerability in cPanel, tracked as CVE-2026-41940, is now being actively exploited in mass ransomware campaigns that encrypt website data and demand payment under the “Sorry” ransomware banner.
An emergency patch for both WHM and cPanel was rolled out this week to address a severe authentication bypass flaw. This bug enables attackers to gain unauthorized access to web hosting control panels, which are essential tools for managing Linux-based servers and websites. WHM handles server-level controls while cPanel provides backend access to site administration, webmail, and databases.
Shortly after the patch was released, reports confirmed that the vulnerability had already been exploited as a zero-day, with attack attempts traced back to late February. According to Shadowserver, a cybersecurity watchdog, at least 44,000 IP addresses running cPanel have been compromised in these ongoing attacks.
Multiple sources informed BleepingComputer that hackers have been leveraging this flaw since Thursday to infiltrate servers and deploy a Go-based Linux encryptor known as Sorry ransomware. Victims have flooded forums with reports of encrypted files, including samples shared on the BleepingComputer forums. The scale of the attacks is significant: hundreds of compromised sites are already indexed by Google.
The Sorry ransomware appends a .sorry extension to all encrypted files. It uses the ChaCha20 stream cipher for encryption, with the key secured by an embedded RSA-2048 public key. According to ransomware expert Rivitna, decryption is impossible without the corresponding private RSA-2048 key. “Decryption is impossible without an RSA-2048 private key,” they posted.
Each affected folder contains a README.md ransom note, instructing victims to contact the attackers via Tox using the ID 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724. Notably, this campaign is unrelated to a 2018 ransomware incident that also used the .sorry extension but employed a different encryptor.
All cPanel and WHM users are urged to install the available security updates immediately to prevent data theft and ransomware attacks. Given that exploitation has only just begun, the threat is expected to escalate significantly in the coming days and weeks.
(Source: BleepingComputer)
