Critical cPanel Authentication Flaw Exploited in Mass "Sorry" Ransomware Campaign
A critical authentication bypass vulnerability in cPanel and WHM is being actively exploited to deploy the "Sorry" ransomware, impacting at least 44,000 servers.

A critical authentication bypass vulnerability in cPanel and WHM, tracked as CVE-2026-41940, is currently being exploited in the wild to facilitate mass ransomware attacks. The flaw, which affects WebPros cPanel & WHM and WP2 (WordPress Squared), allows unauthorized actors to bypass authentication mechanisms and gain control over hosting environments CISA.
The vulnerability is classified as a "Missing Authentication for Critical Function" flaw CISA. By exploiting this weakness, attackers can gain administrative access to the server-level management provided by WHM or the website-level management provided by cPanel, including access to databases and webmail BleepingComputer. Once access is established, threat actors are deploying a Go-based Linux encryptor identified as the "Sorry" ransomware BleepingComputer.
The "Sorry" ransomware utilizes the ChaCha20 stream cipher to encrypt files, appending the ".sorry" extension to compromised data. The encryption keys are protected by an embedded RSA-2048 public key, making decryption impossible without the corresponding private key BleepingComputer. Victims are presented with a README.md ransom note containing instructions to contact the threat actor via Tox to negotiate payment BleepingComputer.
The scale of the campaign is significant, with the internet security watchdog Shadowserver reporting that at least 44,000 IP addresses running cPanel have been compromised BleepingComputer. Exploitation attempts have been traced back to late February, and the number of impacted websites continues to grow, with hundreds of compromised sites already appearing in search engine indexes BleepingComputer.
In response to the active exploitation, an emergency update for WHM and cPanel has been released to patch the vulnerability BleepingComputer. CISA has officially added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies remediate the flaw by a specified deadline CISA. CISA has also strongly urged all organizations to prioritize patching to mitigate the risk of data theft and ransomware CISA.
This incident highlights the ongoing risk posed by vulnerabilities in widely used web hosting infrastructure. While a 2018 ransomware campaign also used the ".sorry" extension, security researchers have confirmed that the current campaign utilizes a different, unrelated encryptor BleepingComputer. As exploitation continues, administrators are advised to apply the latest security updates immediately to protect their environments from further compromise BleepingComputer.