Critical cPanel flaw exploited in “Sorry” ransomware attacks
Emergency patch follows active exploitation
A newly disclosed cPanel vulnerability tracked as CVE-2026-41940 is being mass-exploited in ransomware attacks that breach websites and encrypt data, according to researchers and incident reports.
This week, WHM and cPanel released an emergency update to fix a critical authentication bypass flaw that can let attackers access control panels. WHM and cPanel are Linux-based hosting tools used to manage servers and websites, with WHM handling server-level administration and cPanel providing access to website backends, webmail, and databases.
Soon after the fix was released, the flaw was reported as actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February. Internet security watchdog Shadowserver says at least 44,000 IP addresses running cPanel have since been compromised in ongoing attacks.
Multiple sources told BleepingComputer that hackers have been using the flaw since Thursday to break into servers and deploy a Go-based Linux encryptor tied to the “Sorry” ransomware family. Reports of impacted websites have since spread, including forum posts from victims sharing encrypted file samples and ransom note contents. Hundreds of compromised sites have already been indexed in Google.
The Linux encryptor appends a “.sorry” extension to encrypted files and uses the ChaCha20 stream cipher, with the encryption key protected by an embedded RSA-2048 public key. Ransomware expert Rivitna says decryption is not possible without the matching private RSA-2048 key.
“In each folder, a ransom note named README.md is created, instructing the victim to contact the threat actor on Tox to negotiate a ransom payment,” the report said. The note is reportedly the same across victims in this campaign and includes the Tox ID 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724.
Researchers noted the current campaign is unrelated to a 2018 ransomware operation that also used the “.sorry” extension.
All cPanel and WHM users are being urged to install the available security updates immediately as attacks are only beginning and are expected to intensify in the coming days and weeks.
Sources: