44,000 cPanel servers hit as auth bypass drives ransomware wave
TL;DR - CVE-2026-41940 is an authentication bypass in cPanel and WHM that attackers are exploiting at scale to deploy the "Sorry" Linux ransomware. Shadowserver reports 44,000 compromised IPs. This is no longer a patch-and-move-on situation - assume active compromise if you haven't patched.
What happened
cPanel and WHM are hosting control planes - they manage web content, databases, mail, and server administration for a large share of shared hosting and small VPS deployments. They run internet-facing, they run as root or near-root, and when they fall, everything on the box is in scope.
CVE-2026-41940 is an authentication bypass in that control plane. BleepingComputer reports exploitation attempts dating back to late February, with activity accelerating after an emergency patch was released. Attackers are using it to drop a Go-based Linux encryptor called "Sorry" ransomware.
Two numbers tell the story:
- Shadowserver tracked at least 44,000 IP addresses running cPanel as compromised in the ongoing campaign.
- Encrypted files get the
.sorryextension. AREADME.mdransom note is dropped alongside them.
This is the standard blast radius for a control panel compromise: not one app, not one tenant - everything on the box.
Who is impacted
- Internet-facing servers running cPanel and WHM that have not applied the vendor's security update for CVE-2026-41940.
- Hosting providers managing multiple customer tenants on shared hosts - one breach, many victims.
- Any environment where cPanel is a path to:
- website files and deploy hooks
- database administration
- webmail and mailbox data
- credential material stored on the host
| Item | Detail |
|---|---|
| CVE | CVE-2026-41940 |
| Issue class | Authentication bypass |
| Exploitation status | Active - ransomware deployment confirmed |
| Reported scale | Shadowserver: 44,000 compromised IPs |
| Ransomware marker | .sorry file extension + README.md ransom note |
What to do now
- Apply the vendor's patch immediately using the cPanel update script:
"Update the server ... via the cPanel update script:
/scripts/upcp --force" (cPanel support advisory). - Treat unpatched systems as compromised - this is an incident response event, not just a patching task:
- search for new
.sorryfile extensions andREADME.mdransom notes across hosted content - review cPanel and system authentication logs for suspicious sessions and unexpected access patterns
- inventory hosted sites and databases for availability and integrity impact
- search for new
- If you cannot patch immediately, the cPanel advisory lists the following interim mitigations:
- block inbound traffic to cPanel-related ports (
2083,2087,2095,2096) - stop
cpsrvdandcpdavd
- block inbound traffic to cPanel-related ports (
- After remediation, rotate every credential with a plausible blast radius on the host: database passwords, service credentials, API tokens, and any private keys that were stored there.
Related
Guides
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.