VYPR
kevPublished May 4, 2026· Updated May 17, 2026· 3 sources

Mass Exploitation of Critical cPanel Vulnerability Triggers Global Security Alert

A critical authentication-bypass vulnerability in cPanel and WHM is being actively exploited by multiple threat actors to deploy ransomware, botnets, and espionage tools across tens of thousands of compromised servers.

A critical authentication-bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is currently being exploited by multiple threat actors to compromise tens of thousands of servers globally. The vulnerability, which affects all cPanel versions after 11.40, allows unauthenticated attackers to gain administrative control over host systems, enabling them to manipulate configurations, databases, and hosted websites SecurityWeek.

The technical mechanism behind the exploit involves the use of special characters within authorization headers. Attackers leverage these to write malicious parameters directly into a session file. By subsequently triggering a reload of that session file, the attacker can authenticate as an administrator using the injected credentials SecurityWeek. This flaw was likely utilized as a zero-day as early as late February, with exploitation activity surging following public disclosure and the release of technical proof-of-concept details SecurityWeek.

The impact of this campaign is widespread. The Shadowserver Foundation reported that at least 44,000 unique IP addresses were observed scanning or attacking their honeypot sensors during the peak of the activity SecurityWeek The Hacker News. While the number of active scanning IPs has since declined, the scale of successful compromises remains significant. Censys has identified over 7,000 cPanel or WHM hosts showing signs of mass exploitation, including the presence of open directories containing encrypted files Help Net Security.

Multiple distinct campaigns have emerged from this vulnerability. One group is deploying a Go-based Linux ransomware strain known as "Sorry," which encrypts files, appends a ".sorry" extension, and wipes backups to prevent recovery Help Net Security. Another campaign involves the deployment of Mirai botnet variants, such as "nuclear.x86," which are used to create unauthorized administrative accounts, disable security logging, modify firewall rules for persistence, and deploy cryptocurrency miners Help Net Security. Additionally, a separate threat actor has been observed targeting government and military entities in Southeast Asia, using the AdaptixC2 framework to maintain persistent access and exfiltrate sensitive documents The Hacker News.

In response to the widespread threat, cPanel has released security updates and an updated detection script to help administrators identify indicators of compromise (IoCs) Help Net Security. Administrators are advised to audit /var/cpanel/sessions/raw/ for suspicious session files containing user=root or hasroot=1 flags, and to verify their build version by running /usr/local/cpanel/cpanel -V Help Net Security. CISA has officially added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the necessary patches SecurityWeek.

This incident highlights the rapid weaponization of vulnerabilities in widely used infrastructure management software. The transition from initial discovery to mass-scale exploitation by diverse actors—ranging from ransomware operators to state-aligned groups—underscores the critical importance of timely patching for internet-facing administrative interfaces. Organizations are urged to prioritize these updates and perform thorough environment audits to ensure no persistent backdoors remain.

Synthesized by Vypr AI