Critical cPanel Flaw CVE-2026-41940 Exploited in Sorry Ransomware Attacks

Posted on

Critical cPanel Vulnerability Sparks Mass “Sorry” Ransomware Campaign

The web hosting industry is facing a significant security crisis as threat actors exploit a newly disclosed critical vulnerability in cPanel, one of the world’s most widely deployed web hosting control panels. The flaw, tracked as CVE-2026-41940, has become the attack vector of choice for a ransomware operation dubbed “Sorry,” which has already compromised thousands of websites globally.

For organisations relying on cPanel-managed hosting environments, this development represents an urgent call to action. The combination of a critical vulnerability in ubiquitous infrastructure software and an aggressive ransomware campaign creates a perfect storm that demands immediate attention from both technical teams and business leadership.

What Happened

Security researchers began observing mass exploitation of CVE-2026-41940 in late April 2026, with attacks escalating dramatically in the days following public disclosure of the vulnerability. The campaign, characterised by its distinctive “Sorry” ransom notes left on compromised servers, has targeted shared hosting environments, virtual private servers, and dedicated servers running vulnerable cPanel installations.

This story was originally reported by BleepingComputer. For the full original coverage, visit: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/

The threat actors behind the Sorry ransomware campaign have demonstrated sophisticated automation capabilities, enabling them to scan for and exploit vulnerable systems at scale. Reports indicate that within 72 hours of the vulnerability becoming public knowledge, automated exploitation tools were already circulating in underground forums, dramatically lowering the barrier to entry for would-be attackers.

Victims receive ransom demands that vary based on the perceived value of the compromised data, with amounts ranging from several thousand to tens of thousands of dollars in cryptocurrency. The attackers have shown particular interest in e-commerce platforms, business websites, and hosting providers managing multiple client accounts.

Technical Analysis

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel and WHM (Web Host Manager) installations. The flaw exists in the session management component and allows unauthenticated remote attackers to gain administrative access to the control panel without valid credentials.

Vulnerability Mechanics

The vulnerability stems from improper validation of session tokens during the authentication process. Specifically, the flaw allows attackers to craft malicious requests that bypass normal authentication checks, effectively granting them root-level access to the hosting environment. This access enables attackers to:

  • Create new administrative accounts
  • Access all hosted websites and databases
  • Modify server configurations
  • Install backdoors for persistent access
  • Deploy ransomware payloads across all hosted domains

Attack Chain

The observed attack chain typically follows a consistent pattern. Initial access is gained through exploitation of CVE-2026-41940, followed by rapid enumeration of hosted websites and associated databases. The attackers then deploy the Sorry ransomware payload, which encrypts website files, databases, and backup archives stored on the server.

Notably, the ransomware employs a hybrid encryption scheme combining AES-256 for file encryption with RSA-4096 for key protection, making decryption without the attacker’s private key computationally infeasible. The malware also actively seeks out and encrypts backup files, including those stored in common backup directories and remote backup configurations accessible from the compromised server.

Business Impact

The business implications of this vulnerability extend far beyond immediate technical concerns. For organisations hosting their web presence on cPanel-managed servers, the risks include:

Operational Disruption: Encrypted websites and databases mean complete loss of web-based operations, potentially including e-commerce capabilities, customer portals, and internal applications.

Data Loss: Without adequate offline backups, organisations face potential permanent loss of critical business data, including customer information, transaction records, and intellectual property.

Regulatory Consequences: Under Australian Privacy Act requirements and the Notifiable Data Breaches scheme, organisations experiencing ransomware attacks involving personal information may be obligated to notify affected individuals and the Office of the Australian Information Commissioner (OAIC).

Reputational Damage: Customer trust erosion following a publicly visible website compromise can have lasting effects on brand reputation and customer relationships.

Financial Impact: Beyond potential ransom payments—which security professionals strongly advise against—organisations face costs associated with incident response, system recovery, legal consultation, and potential regulatory penalties.

Actionable Recommendations

Organisations using cPanel should implement the following measures immediately:

Immediate Actions

  • Patch Immediately: Update cPanel and WHM to the latest patched versions. cPanel has released emergency security updates addressing CVE-2026-41940.
  • Verify Integrity: Conduct thorough reviews of existing administrative accounts and remove any unrecognised or suspicious accounts.
  • Review Access Logs: Examine authentication logs for signs of exploitation attempts or successful compromises.
  • Implement IP Restrictions: Where feasible, restrict administrative access to cPanel and WHM interfaces to known IP addresses.

Short-Term Measures

  • Enable Two-Factor Authentication: Implement 2FA for all administrative accounts to provide defence-in-depth.
  • Backup Verification: Ensure offline or air-gapped backups exist and test restoration procedures.
  • Network Segmentation: Review network architecture to limit lateral movement potential if compromise occurs.
  • Security Monitoring: Deploy or enhance monitoring for suspicious activities, including unexpected file modifications and new account creation.

Long-Term Strategies

  • Vulnerability Management Program: Establish systematic processes for tracking and rapidly responding to security advisories for all infrastructure components.
  • Incident Response Planning: Develop and regularly test incident response procedures specific to web hosting compromises.
  • Third-Party Risk Assessment: If using managed hosting providers, verify their security practices and patch management timelines.

Key Takeaways

  • CVE-2026-41940 is a critical authentication bypass in cPanel being actively exploited at scale—organisations must patch immediately without waiting for normal maintenance windows.
  • The “Sorry” ransomware campaign specifically targets web hosting environments, encrypting websites, databases, and backups simultaneously to maximise pressure on victims.
  • Shared hosting environments present amplified risk, as a single vulnerable cPanel installation may expose hundreds of websites to compromise.
  • Offline backups are essential—the ransomware actively seeks and encrypts accessible backup archives, making air-gapped or offline backups critical for recovery.
  • Australian organisations face regulatory obligations under the Notifiable Data Breaches scheme if personal information is potentially compromised during these attacks.

Conclusion

The mass exploitation of CVE-2026-41940 in the Sorry ransomware campaign serves as a stark reminder of the critical importance of timely patching and robust security practices. For organisations across Australia and globally, this incident underscores that web hosting infrastructure requires the same rigorous security attention as any other critical business system.

The window for proactive protection is closing rapidly as automated exploitation tools proliferate. Organisations that have not yet patched their cPanel installations should treat this as an emergency priority. Those uncertain about their exposure should engage with qualified cybersecurity professionals to assess their risk posture and implement appropriate protections.

At OziTechs, we continue to monitor this evolving threat and stand ready to assist organisations in assessing their vulnerability and implementing effective defences against this and other emerging threats.

Tagged , , , , .