Overview
A critical vulnerability in cPanel and WHM (Web Host Manager), tracked as CVE-2026-41940, is being actively mass-exploited in a ransomware campaign security researchers have dubbed "Sorry" ransomware. The flaw allows threat actors to gain unauthorized access to web hosting control panels, encrypt site data, and extort victims.
cPanel is one of the most widely deployed web hosting control panel platforms globally, used by millions of shared and managed hosting environments. The scope of potential exposure is significant — security teams and hosting providers are urged to patch immediately.
What Is CVE-2026-41940?
CVE-2026-41940 is a missing authentication flaw in cPanel/WHM's WebPros-maintained authentication stack. The vulnerability, present in the cPanel::WHM and wp2 (WordPress Squared) components, allows attackers to bypass authentication under certain conditions to gain access to the hosting panel without valid credentials.
The flaw was disclosed publicly by researchers who noted it was already included in CISA's Known Exploited Vulnerabilities (KEV) catalog, with active exploitation confirmed in the wild. The CVE carries a critical severity rating and affects a broad range of cPanel/WHM versions.
"Sorry" Ransomware Campaign
The ransomware campaign exploiting this flaw has been named for the distinctive ransom note it leaves on affected systems, which opens with the phrase "We are sorry..." before detailing payment instructions.
Attack Chain
- Initial Access: Attackers scan for internet-facing cPanel/WHM instances vulnerable to CVE-2026-41940, using automated scanning tools to identify targets at scale
- Authentication Bypass: The vulnerability is exploited to gain panel access without credentials
- Credential Harvesting: Attackers extract stored hosting credentials, FTP passwords, database credentials, and email account passwords from the panel
- Data Exfiltration: Sensitive files, databases, and backups are exfiltrated before encryption
- Encryption: Files across hosted accounts are encrypted using a custom ransomware payload
- Ransom Demand: Victims receive a "Sorry" ransom note demanding cryptocurrency payment for decryption keys
Scale of Exploitation
Security researchers report mass exploitation — opportunistic, automated scanning campaigns rather than targeted attacks. Any exposed cPanel instance running a vulnerable version is at risk, regardless of the size or nature of the hosted organization.
Who Is Affected?
- Web hosting providers running cPanel/WHM for customer management
- Shared hosting customers whose sites are hosted on vulnerable panels
- Small businesses using cPanel-managed hosting for their websites
- Reseller hosting accounts under compromised WHM parent accounts
- WordPress site owners on vulnerable cPanel hosts (via the wp2 component)
The horizontal nature of web hosting means a single compromised WHM instance can expose hundreds or thousands of customer websites simultaneously.
Immediate Actions
For Hosting Providers
# Check your cPanel/WHM version
/usr/local/cpanel/cpanel -V
# Apply the latest cPanel/WHM update immediately
/scripts/upcp --force
# Verify update completed
/usr/local/cpanel/cpanel -VFor Site Owners
If you suspect your hosting provider's cPanel installation may be vulnerable:
- Contact your hosting provider to confirm they have patched CVE-2026-41940
- Create immediate backups of your website files and database to an off-site location
- Change all credentials: cPanel password, FTP passwords, database passwords, email passwords
- Monitor your site for unauthorized modifications or defacement
- Check file integrity: compare current files against known-good backups
Temporary Mitigation (If Immediate Patching Is Not Possible)
- Restrict cPanel/WHM access to specific IP addresses via firewall rules
- Disable internet-facing access to WHM (port 2087) where not required
- Enable two-factor authentication on all cPanel and WHM accounts
- Monitor cPanel access logs for unusual login activity
Detection
Look for these indicators in cPanel/WHM logs:
| Log Location | What to Look For |
|---|---|
/usr/local/cpanel/logs/access_log | Unusual authentication requests, failed auth followed by success |
/usr/local/cpanel/logs/error_log | Authentication bypass exploit signatures |
/var/cpanel/accounting.log | Unexpected account modifications or mass file changes |
| WHM file manager activity | Mass file encryption events (files with changed extensions) |
| Outbound network connections | Data exfiltration to external IPs |
Industry Context
This incident follows a pattern of ransomware groups increasingly targeting web hosting infrastructure rather than individual organizations. A single successful compromise of a hosting provider's WHM instance can yield hundreds of ransom opportunities simultaneously, making it an attractive target for financially motivated actors.
The exploitation of CVE-2026-41940 also highlights the ongoing challenge of securing widely deployed, internet-facing management panels. cPanel/WHM instances are frequently scanned by threat actors due to their prevalence and the high value of the data and access they control.
Patch Information
WebPros (cPanel's parent company) has released patches for CVE-2026-41940. Hosting administrators should apply updates immediately via:
- Automatic updates: cPanel/WHM supports automatic nightly updates — ensure this is enabled
- Manual update: Run
/scripts/upcp --forceto force an immediate update - Managed hosting: Contact your server management provider to confirm patching status