• News/
  • bleepingcomputer-20260502215400

Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks

BleepingComputer
·
Published May 2, 2026
·
Updated

A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels. WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February. Internet security watchdog Shadowserver now reports that at least 44,000 IP addresses running cPanel have since been compromised in ongoing attacks. Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the "Sorry" ransomware [VirusTotal]. There have been numerous reports of websites impacted by the attacks, including on the BleepingComputer forums, where a victim shared samples of the encrypted files and the contents of the ransom note. Since then, widespread exploitation and ransomware attacks have been spotted, with hundreds of compromised sites already indexed in Google. The Sorry ransomware encryptor is designed specifically for Linux and will append the ".sorry" extension to all encrypte...

Read full article

Affected Software

2 affected components
Cpanel WHM
Cpanel Cpanel
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the main topic of this article?

The article discusses a critical vulnerability in cPanel identified as CVE-2026-41940 that is being exploited in ransomware attacks.

2

What security implications are discussed?

The article highlights the risk of data breaches and encryption of website data due to the exploitation of the cPanel flaw.

3

What products or software are affected?

The affected products include cPanel and WHM from cPanel.

4

What type of attacks are being carried out using this vulnerability?

The attacks being executed are associated with the 'Sorry' ransomware.

5

What action has been taken to address this vulnerability?

An emergency update has been released for WHM and cPanel to fix the critical authentication flaw.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203