Critical cPanel authentication bypass flaw is being abused in Sorry ransomware attacks
A new cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to break into websites and encrypt data in “Sorry” ransomware attacks. The issue affects WHM and cPanel users, and an emergency update was released this week to close the authentication bypass before attackers gained more access.
WHM and cPanel are Linux-based web hosting control panels used for server and website management. WHM handles server-level control, while cPanel gives administrator access to the website backend, webmail, and databases, so a bypass in either layer can expose the systems that host entire sites.
Reports said exploitation began soon after disclosure and that attackers had already been trying to use the flaw as a zero-day since late February. Shadowserver later reported that at least 44,000 IP addresses running cPanel had been compromised in the ongoing attacks, showing how quickly the issue moved from disclosure to active abuse.
Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the “Sorry” ransomware. Widespread exploitation followed, and hundreds of compromised sites were already indexed in Google.
Attackers use the bypass to reach cPanel control panels and deploy a Linux encryptor
The flaw matters because it removes the normal authentication barrier protecting hosting administration. Once attackers can enter the control panel, they can reach the site backend and associated services without needing valid credentials, which gives them a direct route to deploy ransomware and tamper with hosted data.
The Sorry ransomware encryptor is built for Linux and appends the .sorry extension to encrypted files. BleepingComputer was told that it uses the ChaCha20 stream cipher for file encryption, with the encryption key protected by an embedded RSA-2048 public key. Ransomware expert Rivitna said the matching private key is the only path to decryption.
“Decryption is impossible without an RSA-2048 private key,” Rivitna posted to our forums.
Each folder also receives a ransom note named README.md telling victims to contact the threat actor on Tox to negotiate payment. The note is the same across victims in this campaign and includes the Tox ID “3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724,” which is used to reach the attacker.
The campaign is not related to an older 2018 ransomware operation that also used the .sorry extension. That earlier attack relied on a HiddenTear encryptor, while the current one uses a different Linux encryptor and a different code base.
Compromised hosting sites are already appearing in search results
The immediate impact extends beyond file encryption on one server. Once a hosted site is compromised, the attack can affect customer-facing pages, webmail access, and stored databases, while search indexing of infected sites can widen the public footprint of the incident.
All cPanel and WHM users were urged to install the available security updates immediately to protect their websites from ransomware attacks and data theft. The attacks have just started, and further exploitation is expected over the coming days and weeks as more exposed systems remain unpatched.
Possible steps
Install the emergency WHM and cPanel security updates immediately. Review exposed servers for unauthorized control panel access. Check hosted files for the .sorry extension. Look for ransom notes named README.md in affected folders. Inspect sites for signs of recent search indexing or unauthorized changes. Confirm whether any cPanel IP addresses remain publicly reachable without updates. Preserve affected systems for incident review before making major changes.
Šaltinis: BleepingComputer
Report an issue
What's wrong with this guide? We review every report and update or remove content.
Report received — thank you. We'll review and fix it.
You need a free account to submit a report.
Be the first to comment