🛡️ SecOps

'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch

A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.

4 min read
#ransomware#actively-exploited#cpanel-whm#mass-exploitation#linux-ransomware#incident-response

A ransomware group operating under the name ‘Sorry’ has weaponised CVE-2026-41940 — the CVSS 9.8 cPanel/WHM authentication bypass patched on 30 April 2026 — and conducted mass exploitation at a scale that demonstrates how completely the window between patch release and weaponisation has collapsed. The Shadowserver Foundation has confirmed at least 44,000 unique IP addresses compromised, with active ransomware deployments ongoing as of 2 May.

What Happened

CVE-2026-41940 was first disclosed on 30 April as a zero-day with a public proof-of-concept already available at the time the patch dropped. Within 48 hours, the Sorry ransomware group had industrialised exploitation, scanning for unpatched cPanel/WHM instances and deploying a Go-compiled Linux encryptor that targets website files, databases, and email directories.

Victims span web hosting providers, managed service providers, and individual businesses running self-hosted cPanel installations. The ransomware terminates the cPanel and WHM services, encrypts all user home directories and the MySQL data directory, and leaves a ransom note instructing victims to contact a Tor-based payment portal. Sorry’s encryptor specifically targets common web file types (.php, .html, .js, .sql) alongside standard document and archive formats, prioritising disruption of web services over bulk data encryption.

Shadowserver began tracking mass exploitation traffic on 1 May — less than 24 hours after the patch was released — suggesting the threat actor had prepared their toolchain in advance, likely against the timeline of the vulnerability’s public disclosure to security researchers.

Scale and Impact

The 44,000 compromised hosts identified so far represent cPanel servers that have already received the malicious payload — not merely scan targets. Web hosting environments present an attractive mass-exploitation opportunity because:

  • cPanel/WHM is estimated to be running on over 1.5 million servers globally
  • Many are operated by small web hosting providers or individuals who do not maintain rapid patch cadences
  • A single compromised cPanel server may host hundreds or thousands of individual websites, multiplying downstream impact
  • The authentication bypass requires no credentials, meaning any internet-reachable cPanel installation is vulnerable without additional authentication layers

Victim reports in incident response forums describe ransom demands ranging from $5,000 to $50,000 per installation, depending on the number of hosted accounts detected by the ransomware during encryption.

Technical Context

Sorry’s encryptor is a single Go binary compiled for Linux/amd64 and Linux/arm64, suggesting preparation for both standard x86 hosting servers and ARM-based cloud instances. Initial access is via the authentication bypass described in CVE-2026-41940: an HTTP request to a specific cPanel/WHM API endpoint can authenticate as any user, including root, without valid credentials. The attacker uses this to drop the encryptor via cPanel’s backup restore functionality or the Perl CGI environment.

The PoC code that was publicly available at the time of the patch release reduced the barrier to weaponisation significantly — threat actors did not need to independently reverse-engineer the vulnerability.

Priority Actions

cPanel patch status has become the most critical remediation priority for any organisation running self-hosted or customer-hosted cPanel/WHM:

  • Immediate: Apply the cPanel/WHM hotfix: LTS 120.0.24, Stable 122.0.16, or Current 124.0.6. cPanel’s auto-update should have applied this automatically unless disabled.
  • Verify auto-update status: Confirm whether cPanel auto-updates are enabled on all managed servers via whmapi1 get_tweaksettings key=cpanel_updates — do not assume auto-update is active.
  • Check for compromise indicators: Look for recently-created .sorry or .SORRY file extensions, unexpected cPanel API access logs, and new cron jobs added under system user accounts in the past 72 hours.
  • Assess backup integrity: If any cPanel server was unpatched during the exposure window (30 April–present), assume compromise is possible and verify backup integrity before relying on those backups for restoration.
  • Restrict management access: Place cPanel/WHM management ports (2082, 2083, 2086, 2087) behind IP allowlists or a VPN if not already done — this eliminates the internet-accessible attack surface for future authentication bypass vulnerabilities of this type.

The velocity of this campaign — from patch release to 44,000 compromised hosts in under 48 hours — is consistent with a prepared, professionalised ransomware operation that had pre-staged tooling before the public patch. Organisations with unpatched cPanel infrastructure that have not yet applied the fix should treat this as a crisis-level remediation task.

Share this article