A critical vulnerability in cPanel, identified as CVE-2026-41940, is currently being exploited by cybercriminals to infiltrate websites and carry out ransomware attacks using the “Sorry” ransomware.
An emergency patch has been released this week for WHM and cPanel to address a severe authentication bypass flaw that enables unauthorized access to control panels.
WHM and cPanel are popular Linux-based web hosting control panels used for managing servers and websites. While WHM focuses on server-level control, cPanel offers administrators access to the backend of websites, webmail services, and databases.
Reports indicate that the vulnerability was actively exploited as a zero-day shortly after its discovery, with cyber attackers targeting systems running cPanel since late February.
Security experts from Shadowserver have confirmed that over 44,000 IP addresses running cPanel have been compromised in ongoing attacks.
According to multiple sources, hackers have been leveraging the cPanel flaw to breach servers and deploy the “Sorry” ransomware since Thursday. This ransomware encrypts files on Linux-based systems and appends the “.sorry” extension to them.
Several websites have already fallen victim to these attacks, with encrypted files and ransom notes shared by affected individuals on various platforms, including the BleepingComputer forums.
Google has indexed hundreds of compromised sites affected by these ransomware attacks, indicating the widespread nature of the exploitation.
The Sorry ransomware utilizes the ChaCha20 stream cipher for file encryption, with the encryption key safeguarded by an embedded RSA-2048 public key. Decrypting the files without the corresponding private RSA-2048 key is deemed impossible by ransomware expert Rivitna.
Each folder containing encrypted files includes a ransom note named README.md, instructing victims to contact the threat actor via Tox to negotiate a ransom payment.
The ransom note, which remains consistent across all victims, includes the Tox ID “3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724” for contacting the threat actor.
It’s important for all cPanel and WHM users to promptly install the available security updates to safeguard their websites against ransomware attacks and data breaches. With the attacks ongoing, it’s crucial to stay vigilant in the coming days and weeks.
An artificial intelligence (AI) exploit chaining four zero-day vulnerabilities has bypassed both renderer and operating system (OS) sandboxes, signaling a wave of new exploits on the horizon.
At the Autonomous Validation Summit (May 12 & 14), witness how autonomous, context-rich validation identifies exploitable vulnerabilities, verifies control effectiveness, and closes the remediation loop.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
