Active Exploitation of cPanel Vulnerability CVE-2026-41940 Underway

The situation surrounding the critical cPanel authentication bypass vulnerability (CVE-2026-41940) has escalated sharply since our first report. What began as exploratory probing has turned into full-scale exploitation by multiple threat actors, resulting in defaced websites, ransomware infections, malware deployment, and targeted intrusions.

“Sorry” ransomware

Attackers are actively exploiting CVE-2026-41940 to compromise vulnerable, internet-facing cPanel instances at scale. Once inside, they deface websites, encrypt data, and deploy ransomware. The encryptor, a Go-based Linux binary, appends the .sorry extension to affected files and drops a ransom note instructing victims to contact the attackers via Tox.

The scale of the campaign is already alarming. Internet scanning platform Censys has identified 8,859 hosts exposing open directories where filenames end in “.sorry.” Of those, 7,135 are confirmed to be running cPanel or WHM, strong evidence of automated, widespread exploitation.

Encrypted files in these directories follow a consistent naming pattern across victims, with common web application files systematically renamed. Reports indicate that attackers are also wiping backups to prevent recovery.

In other incidents, websites are defaced and the ransom note demands 0.1 BTC be sent to a specified wallet. Victims are also instructed to tweet a message that will alert the attackers, who then ostensibly assist with file recovery.

A Reddit user whose server was compromised shared a detailed timeline. Beyond file encryption, their server was also used to brute-force attack other servers, indicating the compromised system was weaponized for further attacks.

On May 1, the Shadowserver Foundation detected over 44,000 unique cPanel-related IPs scanning, running exploits, or conducting brute-force attacks against their honeypot sensors. That number dropped significantly to 3,540 by May 4.

The Mirai campaign

A separate, parallel campaign is deploying Mirai botnet variants after gaining access, according to Indian web hosting provider HostMyCode.

They documented the nuclear.x86 Mirai variant specifically targeting vulnerable cPanel installations. Compromised servers are used to create new administrative accounts, disable security logging, modify firewall rules for persistence, drop cryptocurrency miners and DDoS bot clients, and harvest credentials from other hosted accounts.

“Successful compromises often lead to attacks on customer websites. They also target email systems and database servers hosted on the same infrastructure,” the company noted.

Censys has confirmed this campaign remains active based on ongoing scan data.

Detection and remediation

Since Thursday, cPanel has updated its detection script for known indicators of compromise after the initial version produced a significant number of false positives. Anyone who ran the script at initial disclosure should run it again. The company has also released updated cPanel patch versions and revised some of its initial guidance.

For administrators seeking a deeper check, the most telling signs of compromise are in the session directory. Suspicious entries in /var/cpanel/sessions/raw/ , pre-auth session files containing `user=root`, `hasroot=1`, `tfa_verified=1`, or multiple `pass=` lines , are strong evidence of a breach. cPanel advises auditing WHM for unexpected user accounts, SSH keys, and cron jobs that were not previously present.

If those checks come back clean, the next step is verifying that the patch actually took effect. Administrators can run `/usr/local/cpanel/cpanel -V` and confirm the build version matches the patched release. If using a hosting provider, verify patch status directly with them.

For those who do find indicators of compromise, Linux server management provider Nocinit has outlined steps to “evict the most common persistence and re-entry paths used after a CVE-2026-41940 compromise: stolen credentials, planted SSH keys, hidden cron jobs, leftover API tokens, sudoers backdoors, and an unfiltered control-plane port.”

Still, they emphasize that if indicators of compromise are present, rebuilding from clean backups is the safest course of action.

Nation-state targeting

This advice may suffice for victims of the campaigns described above, but other attacks underway will require more in-depth investigation.

Ctrl-Alt-Intel threat researchers have identified a distinct campaign leveraging CVE-2026-41940 for cyber espionage.

“On 2nd May 2026, Ctrl-Alt-Intel identified an exposed attacker staging server that provided direct visibility into one such operation. From this infrastructure, we observed an unknown threat actor interactively targeting government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States,” they said.

“The actor relied heavily on public proof-of-concept code for CVE-2026-41940. Exposed threat actor data also detailed a separate custom exploit chain for an Indonesian defence-sector training portal, alongside evidence of earlier exfiltration of Chinese railway-sector data.”

Ctrl-Alt-Intel stopped short of firm attribution but noted that the combination of victimology, post-compromise pivoting, and the nature of the exfiltrated data makes this activity more significant than routine opportunism. The researchers have shared indicators of compromise related to this campaign.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!