cPanel [CVE-2026-41940] Mass-Exploited in 'Sorry' Ransomware Attacks
A critical authentication bypass vulnerability, CVE-2026-41940, in cPanel & WHM has been actively mass-exploited as a zero-day since February 2026, facilitating widespread "Sorry" ransomware attacks that specifically target web hosting servers with a Go-based Linux encryptor. This flaw allows unauthenticated remote attackers to gain unauthorized administrative access, giving them control over host systems, configurations, databases, and managed websites. The vulnerability carries a CVSS score of 9.8, indicating its critical severity.
What Happened
WebPros International L.L.C., the developer of cPanel, released security updates for CVE-2026-41940 on April 28, 2026, just hours after publishing a security advisory, as reported by Help Net Security. The exploitation, however, had been observed since late February 2026, meaning the flaw was actively exploited as a zero-day for approximately two months before a patch was made available.
Hosting providers, including KnownHost, HostPapa, InMotion, and Namecheap, immediately responded by blocking access to cPanel & WHM ports and implementing security updates following notification, according to BleepingComputer. The fixes were incorporated into cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, as well as WP Squared version 136.1.7.
Why It Matters
The mass exploitation is directly linked to "Sorry" ransomware attacks, where threat actors breach servers and deploy a Go-based Linux encryptor. Internet security watchdog Shadowserver reported that at least 44,000 IP addresses running cPanel have been compromised in these ongoing attacks, a figure corroborated by BleepingComputer. This scale of compromise underscores the critical impact on the web hosting ecosystem.
Successful exploitation grants an attacker full control over the cPanel host system, its configurations, and all associated databases, thereby jeopardizing every website hosted on shared servers. The Canadian Centre for Cyber Security warned that such control could lead to significant server configuration modifications and complete compromise of hosted websites, as reported by SecurityWeek. Shodan scans reveal approximately 1.5 million internet-accessible cPanel instances, many of which were likely vulnerable.
Technical Breakdown
The vulnerability, classified as an improper input validation flaw (CWE-20) or insufficient granularity of access control (CWE-1220), stems from how the cPanel service daemon (cpsrvd) handles session files before authentication. Specifically, cpsrvd was found to write a new session file to disk prior to full authentication. Attackers could manipulate a cookie by omitting an expected segment of its value. This manipulation caused attacker-controlled credentials to be written in plaintext into the session file. The session file could then be reloaded, effectively authenticating the attacker with administrative privileges.
Think of it like this: Imagine a hotel where you get a temporary key card (the cookie) to enter a lobby (the cPanel service daemon) before checking in. If you could subtly alter your temporary key card by removing a specific identifier, the hotel's system might mistakenly issue you a permanent master key card (the session file with plaintext admin credentials) before it verifies your identity. You could then use this master key to access any room. This bypass allows for full administrative takeover.
This attack maps to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) for initial access, followed by T1078 (Valid Accounts) as the session manipulation creates valid credentials. Post-exploitation activities, such as deploying the "Sorry" ransomware, would leverage T1105 (Ingress Tool Transfer) for payload delivery and T1486 (Data Encrypted for Impact). The associated NIST SP 800-53 control most relevant here is IA-2 Identification and Authentication (Organizational Users), as the flaw directly undermines the integrity of the authentication process. Effective endpoint detection and response tools like CrowdStrike Falcon or SentinelOne would be crucial for detecting the post-exploitation activities and ransomware deployment in such scenarios.
Historical Context
This cPanel zero-day echoes the widespread exploitation seen with the Apache Struts 2 vulnerability (CVE-2017-5638) in March 2017. That flaw allowed remote code execution on web servers running vulnerable Struts versions, leading to significant breaches, most notably the Equifax data breach which affected over 147 million individuals. Similar to the cPanel incident, the Struts vulnerability provided an unauthenticated entry point to critical systems. The key difference lies in the specific mechanism: Struts exploited a content-type header parsing error, whereas cPanel's flaw involved session file creation and cookie manipulation. Both, however, presented an immediate, critical threat to internet-facing web infrastructure, allowing attackers to quickly pivot to data exfiltration or, in this case, ransomware deployment.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 9.8 | NVD |
| Days as Zero-Day | ~60 days | Help Net Security |
| Exploited IP Addresses | 44,000+ | BleepingComputer |
| Affected cPanel Versions | 8 versions | BleepingComputer |
| Internet-Accessible cPanel | 1.5 million | SecurityWeek |
Our Take
We're seeing a clear pattern where critical infrastructure components become prime targets for zero-day exploitation, given their broad reach. The delay between initial exploitation and patch availability for CVE-2026-41940 highlights the industry's ongoing struggle with proactive threat intelligence and rapid vulnerability disclosure. While major hosting providers acted swiftly post-advisory, many smaller organizations might still be exposed, underscoring the necessity for automated vulnerability management and continuous monitoring.
The CVEDaily Take
This cPanel zero-day demonstrates that even seemingly minor input validation flaws can cascade into critical authentication bypasses when chained with specific service daemon behaviors. The "Sorry" ransomware campaign serves as a stark reminder that unpatched, internet-facing administrative panels remain a goldmine for financially motivated attackers. Has your team conducted a comprehensive audit of all public-facing cPanel instances and their patch status since the April 28 update?
FAQ
Q: Which cPanel versions are affected by CVE-2026-41940?
A: The vulnerability primarily affected cPanel & WHM versions 11.86.0.40 and earlier, 11.110.0.96 and earlier, 11.118.0.62 and earlier, 11.126.0.53 and earlier, 11.130.0.18 and earlier, 11.132.0.28 and earlier, 11.136.0.4 and earlier, and 11.134.0.19 and earlier. It also impacted WP Squared version 136.1.6 and earlier.
Q: What is the "Sorry" ransomware and how does it operate?
A: The "Sorry" ransomware is a Go-based Linux encryptor deployed after exploiting CVE-2026-41940. It appends the ".sorry" extension to encrypted files and uses the ChaCha20 stream cipher with an RSA-2048 public key for encryption, making files irrecoverable without the decryption key.
Q: What immediate actions should cPanel administrators take?
A: All cPanel & WHM installations should be immediately updated to versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, or 11.134.0.20, and WP Squared to 136.1.7 or later. Additionally, administrators should review logs for suspicious activity dating back to February 2026, particularly related to unauthorized access attempts to cpsrvd or new session file creation. Implement robust backup solutions like Veeam for all hosted data.
