The situation around the critical cPanel authentication bypass vulnerability (CVE-2026-41940) has deteriorated significantly since our initial coverage.
Exploratory probing has evolved into multi-actor exploitation, leading to disrupted websites, ransomware and malware deployment, and targeted attacks.
“Sorry” ransomware
Attackers have taken advantage of CVE-2026-41940 to mass-exploit vulnerable internet-facing cPanel instances to breach servers, deface websites and encrypt data.
The ransomware used in some of the attacks is a Go(Lang)-based Linux encryptor that encrypts files and appends the .sorry extension to them, then drops a ransom note that instructs victims to get in touch via Tox.
The scale is already substantial: internet scanner Censys has found 8,859 hosts exposing open directories where filenames end in “.sorry,” with 7,135 of those identified as running cPanel or WHM, which is strong evidence of large-scale automated exploitation.
The encrypted files being exposed in those open directories follow a consistent pattern across victims, with common web application files systematically renamed. Alongside encryption, attackers are reportedly wiping backups to prevent recovery.
In other reported attacks, the websites are defaced and the ransom note tells victims to send 0.1 BTC to a specific crypto wallet and tweet a message that will get the attackers’ attention (so they can ostensibly help with the recovery of the files).
A Reddit user whose server has been hit has shared a timeline and details of the attack, and noted that aside from files getting encrypted, their server was also used to actively attack other servers through brute-forcing attempts.
Last Thursday, Shadowserver Foundation detected over 44,000 unique cPanel-related IPs scanning, running exploits or engaging in brute force attacks against their honeypot sensors. That number has since descreased considerably, reaching 3,540 on Sunday.
The Mirai campaign
A separate, parallel campaign is deploying Mirai botnet variants after gaining access, Indian web hosting provider HostMyCode reported.
They documented the Mirai botnet variant nuclear.x86 specifically targeting vulnerable cPanel installations, with compromised servers used to create new administrative accounts, disable security logging, modify firewall rules for persistence, drop cryptocurrency miners and DDoS bot clients, and harvest credentials from other hosted accounts.
“Successful compromises often lead to attacks on customer websites. They also target email systems and database servers hosted on the same infrastructure,” the company added.
Based on scan data, Censys has confirmed this campaign is ongoing.
Detection and remediation
Since Thursday, cPanel has updated its detection script for known indicators of compromise after it produced a significant number of false positives in its initial form. Anyone who ran it at initial disclosure should run it again. The company has also released updated cPanel patch versions and updated some of their initial advice.
For administrators who want to go beyond the script, the most telling signs of compromise are in the session directory. Suspicious entries in /var/cpanel/sessions/raw/ – pre-auth session files containing user=root, hasroot=1, tfa_verified=1, or multiple pass= lines – are evidence of compromise. WHM should also be audited for unexpected user accounts, SSH keys, and cron jobs that weren’t there before, cPanel advised.
If those checks come back clean, the next question is whether the patch actually took. Administrators can verify this by running /usr/local/cpanel/cpanel -V and confirming the build version reflects the patched release; if using a hosting provider, you should verify patch status with them directly.
For those who do find indicators of compromise, Linux server management provider Nocinit has explained which steps victims can take “to evict the most common persistence and re-entry paths used after a CVE-2026-41940 compromise: stolen credentials, planted SSH keys, hidden cron jobs, leftover API tokens, sudoers backdoors, and an unfiltered control-plane port.”
Still, they noted, if indicators of compromise are present, rebuilding from clean backups is the safest path.
Nation-state targeting
This advice might be enough for users hit by the campaigns mentioned above, but other attacks are under way that will require more in-depth investigation.
Ctrl-Alt-Intel threat researchers have, for example, identified a distinct campaign leveraging CVE-2026-41940 for cyber espionage purposes.
“On 2nd May 2026, Ctrl-Alt-Intel identified an exposed attacker staging server that provided direct visibility into one such operation. From this infrastructure, we observed an unknown threat actor interactively targeting government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States,” they said.
“The actor relied heavily on public proof-of-concept code for CVE-2026-41940. Exposed threat actor data also detailed a separate custom exploit chain for an Indonesian defence-sector training portal, alongside evidence of earlier exfiltration of Chinese railway-sector data.”
Ctrl-Alt-Intel stopped short of firm attribution, but noted that the combination of victimology, post-compromise pivoting, and the nature of the exfiltrated data makes this activity more significant than routine opportunism. The researchers have shared indicators of compromise related to this campaign.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
