A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in “Sorry” ransomware attacks.
This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels.
WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases.
Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February.
Internet security watchdog Shadowserver now reports that at least 44,000 IP addresses running cPanel have since been compromised in ongoing attacks.
Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the “Sorry” ransomware [VirusTotal].
There have been numerous reports of websites impacted by the attacks, including on the BleepingComputer forums, where a victim shared samples of the encrypted files and the contents of the ransom note.
Since then, widespread exploitation and ransomware attacks have been spotted, with hundreds of compromised sites already indexed in Google.
Source: BleepingComputer
The Sorry ransomware encryptor is designed specifically for Linux and will append the “.sorry” extension to all encrypted files.
Source: diozada on the BleepingComputer forums
BleepingComputer was told that the ransomware uses the ChaCha20 stream cipher to encrypt files, with the encryption key protected using an embedded RSA-2048 public key.
Ransomware expert Rivitna says the only way to decrypt these files is to obtain the corresponding private RSA-2048 key.
“Decryption is impossible without an RSA-2048 private key,” Rivitna posted to our forums.
In each folder, a ransom note named README.md is created, instructing the victim to contact the threat actor on Tox to negotiate a ransom payment.
The ransom note is the same for each victim of this ransomware campaign, including the Tox ID “3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724,” which is used to contact the threat actor.
Source: BleepingComputer
It should be noted that a 2018 ransomware campaign utilized a HiddenTear encryptor to encrypt files and append the .sorry extension. This current campaign uses a different encryptor and is unrelated.
All cPanel and WHM users are urged to immediately install the available security updates to protect their websites from ransomware attacks and data theft.
The attacks have just started, and we will likely see increased exploitation over the coming days and weeks.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
