A newly disclosed cPanel security flaw is now being mass-exploited by hackers to breach websites and encrypt data in “Sorry” ransomware attacks.
The flaw, tracked as CVE-2026-41940, is a critical authentication bypass vulnerability affecting WHM and cPanel. This week, an emergency update was released to patch the issue, which could allow attackers to gain access to control panels without proper authentication.
WHM and cPanel are widely used Linux-based web hosting control panels. WHM gives server-level control to hosting providers and administrators, while cPanel gives access to website management tools, webmail, databases, and other backend features.
Soon after the emergency update was released, reports confirmed that the flaw was already being exploited in the wild as a zero-day. Some exploitation attempts reportedly date back to late February.
Internet security watchdog Shadowserver says at least 44,000 IP addresses running cPanel have already been compromised in the ongoing attacks. This shows how quickly the vulnerability is being abused by attackers.
According to BleepingComputer, hackers have been exploiting the cPanel flaw since Thursday to break into servers and deploy a Go-based Linux encryptor linked to the “Sorry” ransomware campaign.
Several website owners have already reported being affected. Some victims shared samples of encrypted files and ransom notes on the BleepingComputer forums. Google has also indexed hundreds of websites that appear to have been hit by the ransomware attacks.
The Sorry ransomware encryptor is built specifically for Linux systems. Once it encrypts a file, it adds the “.sorry” extension to the filename.
Researchers say the ransomware uses the ChaCha20 stream cipher to encrypt files. The encryption key is then protected with an embedded RSA-2048 public key, making recovery extremely difficult without the attacker’s private key.
Ransomware expert Rivitna said decryption is impossible without the RSA-2048 private key. This means victims who do not have clean backups may have very limited recovery options.
The ransomware also creates a README.md ransom note in every folder. The note tells victims to contact the attackers through Tox to negotiate a ransom payment.
This new campaign is not related to an older 2018 ransomware that also used the “.sorry” extension. The current attacks use a different encryptor and are part of a separate campaign.
All WHM and cPanel users should install the latest security updates immediately. Website owners and hosting providers should also check their servers for suspicious activity, review backups, and make sure access controls are properly secured.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The attacks appear to be in the early stage, and exploitation may increase in the coming days and weeks.
