A critical cPanel security vulnerability is being mass-exploited by ransomware operators, and tens of thousands of web servers are already compromised. Tracked as CVE-2026-41940, the flaw carries a severity score of 9.8 out of 10. It lets attackers bypass authentication entirely and seize full control of a server without a valid password. An emergency patch now exists, but exploitation began months before anyone knew a fix was needed.
What Is cPanel and Why Does This Matter?
cPanel and its companion tool WHM (WebHost Manager) are among the most widely deployed web hosting control panels in the world. cPanel gives website owners access to their backend, databases, email, and files. WHM gives hosting providers and administrators control at the server level. Together, they sit at the heart of millions of shared hosting environments.
That reach is exactly what makes this cPanel security vulnerability so damaging. When attackers gain access through cPanel, they do not just compromise one website. On a shared server, they can potentially reach every site hosted on that machine. The blast radius is enormous.
How the Flaw Works
At its core, the vulnerability is a CRLF injection — short for Carriage Return Line Feed injection. This is a type of flaw where an attacker manipulates how data is written into a file or system by inserting special control characters. The problem sits in cPanel’s login and session handling process.
When a user tries to log in, cPanel takes input from the Authorization header and writes it into a server-side session file. It does this before authentication is complete and without properly checking what that input contains. An attacker can exploit this gap to inject crafted data into the session file and log in without ever providing a real password.
Security researchers confirmed the flaw enables full authentication bypass. Once inside, an attacker holds the same level of access as a legitimate administrator. That means they can modify configurations, access customer data, install software, and deploy malicious code across the entire server.
A Zero-Day Exploited Since February
The patch arrived on April 28, 2026. But exploitation did not begin that week. Hosting provider KnownHost reported active exploitation attempts as far back as February 23 — more than two months before a fix existed. That makes this a prolonged zero-day: a vulnerability attackers used in the wild before the vendor knew it was public.
By the time the emergency update landed, the damage was already spreading fast. Internet monitoring organisation Shadowserver reported that attackers had compromised at least 44,000 IP addresses running cPanel. Hundreds of affected websites also appeared publicly in Google search results, making the scale of the breach visible to anyone who looked.
The “Sorry” Ransomware Campaign
The threat actors behind these attacks are deploying ransomware called “Sorry.” This is not the same campaign that used the Sorry name back in 2018. The current operation uses a completely different encryptor, built in Go and designed specifically for Linux systems.
Once the encryptor runs, it renames every affected file with a .sorry extension. It encrypts the files using the ChaCha20 stream cipher, a fast and robust algorithm. An embedded RSA-2048 public key then protects the encryption key itself. Only the attackers hold the corresponding private key, so recovery without paying is not possible.
Ransomware expert Rivitna confirmed the situation bluntly: decryption cannot happen without that RSA-2048 private key. In every folder, the attackers leave a ransom note named README.md. It directs victims to contact the threat actors through an encrypted messaging platform called Tox to negotiate payment.
How Hosting Providers Responded
Several major hosting providers moved quickly once the vulnerability became known. Namecheap temporarily blocked connections to cPanel and WHM ports entirely, cutting off access while patches rolled out. KnownHost, HostPapa, and InMotion followed with similar measures. Each urged customers to treat their systems as potentially compromised if they went unpatched during the exposure window.
cPanel published a detection script to help administrators spot signs of compromise. Security firm WatchTowr also released a Detection Artifact Generator for the same purpose. Both tools are available now. Any administrator who has not yet investigated their systems should start there.
What You Need to Do Right Now
If you run a website on a cPanel-based hosting environment, treat this as urgent. The cPanel security vulnerability affects all versions after 11.40, and patches cover multiple supported releases.
Administrators who manage their own servers should run the update command /scripts/upcp –force immediately. This forces cPanel to pull the latest patched version even if the system thinks it is current. Servers on an unsupported cPanel version do not qualify for this update. Those administrators need to upgrade to a supported version first.
For website owners who rely on a hosting provider, check whether your provider has confirmed the patch is live. If they have not communicated anything on this issue, ask directly. Given the scale of exploitation and the expectation that attacks will intensify, waiting is not a safe option.
Also review recent access logs for unusual activity. Verify that your backups exist, are intact, and are clean. Enable multi-factor authentication on your cPanel account if you have not done so already.
Final Thoughts
This incident shows how much damage a single authentication flaw can cause when it sits inside infrastructure that millions of websites depend on. Attackers exploited this cPanel security vulnerability silently for months. They had a wide-open window long before defenders had a patch to work with. By the time the fix arrived, tens of thousands of servers were already hit and ransomware was actively encrypting data across Linux hosting environments.
The “Sorry” campaign is still in its early stages. Security researchers expect exploitation to grow in the coming days and weeks. Patching now is the single most important step any cPanel user can take. Beyond that, this is a good moment to review your broader security posture — because when critical infrastructure gets hit at this scale, the fallout reaches far beyond the servers themselves.
