CVE-2026-41940: cPanel zero-day hits 44,000 servers in mass Sorry ransomware campaign
Table des matières
The Shadowserver Foundation reports at least 44,000 IP addresses running cPanel have been compromised, with hackers exploiting the flaw to breach servers and deploy a Go-based Linux encryptor used in “Sorry” ransomware campaigns. Censys identified 8,859 hosts exposing open directories where filenames end in “.sorry,” with 7,135 confirmed as running cPanel or WHM, strong evidence of large-scale automated exploitation across multiple independent threat groups.
Internet scans identified approximately 1.5 million cPanel instances exposed online, and cPanel controls 94% of the control-panel market according to W3Techs, meaning the exploitable attack surface is effectively the management layer of a significant fraction of the internet’s shared hosting infrastructure.
How the vulnerability actually works
CVE-2026-41940 is a session-file manipulation attack through CRLF injection. An unauthenticated attacker injects crafted lines into a pre-authentication session file. When cpsrvd re-parses that file, the injected lines become top-level session entries — including user=root, hasroot=1, tfa_verified=1, and a fresh successful_internal_auth_with_timestamp — promoting the session to a fully authenticated root session and bypassing both the password and 2FA gates without ever touching an authentication code path.
The exploit chains three failures: the login handler fails to strip CRLF characters from a header value, letting an attacker inject extra fields into the session file; a malformed cookie causes the encryption layer protecting that session to be skipped; and a quirk in how cPanel re-reads cached sessions promotes the injected unauthenticated session into an authenticated one. The result is root-level WHM access from a single sequence of HTTP requests — no credentials, no phishing, no malware required on the victim’s side.
cPanel has published a detection script that scans session files for indicators of compromise, including sessions containing injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. watchTowr separately released a Detection Artifact Generator that administrators can use to verify whether their instances remain vulnerable.
What Sorry ransomware does once it’s in
Sorry is a Go-based Linux encryptor that encrypts files and appends the .sorry extension, drops a ransom note instructing victims to contact via Tox, uses ChaCha20 encryption with the key protected by an embedded RSA-2048 public key, and wipes backups to prevent recovery. Unlike ransomware that targets individual endpoints, Sorry focuses on web content, databases, and customer data stored within hosting environments — hitting every account under a compromised cPanel server simultaneously.
Censys uncovered evidence that the vulnerability is being weaponized by multiple independent groups within 24 hours of public disclosure, including deploying Mirai botnet variants alongside Sorry ransomware. This is not a single coordinated campaign — it is opportunistic mass exploitation by several threat actors using the same publicly available proof-of-concept code.
Ctrl-Alt-Intel separately identified a distinct campaign leveraging CVE-2026-41940 for cyber espionage purposes, primarily targeting government and military domains in the Philippines and Laos, as well as MSPs and hosting providers. The combination of victimology and post-compromise behaviour suggests state-sponsored involvement beyond opportunistic ransomware deployment.
The disclosure timeline that made this worse
The vulnerability had been reported to cPanel approximately two weeks before the April 28 public advisory, and cPanel’s initial response was that nothing was wrong. That left hosting providers without mitigation guidance during a window when exploitation was already confirmed in the wild.
Namecheap temporarily blocked connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability to protect customers while an official fix was pending. KnownHost, HostPapa, and InMotion followed similar approaches. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch within four days.
If you run your own cPanel installation, patch immediately. Fixed versions are cPanel & WHM 11.136.0.5 and WP Squared 136.1.7. Run cPanel’s published detection script to check session files under /var/cpanel/sessions/raw/ for injected authentication timestamps. Reset all administrative passwords and block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall if you cannot patch immediately.
If you use a managed hosting provider, confirm patch status in writing before assuming you are protected. KnownHost, Namecheap, HostPapa, and InMotion deployed the fix within hours of the April 28 disclosure — but not every provider responded at that speed. If your provider cannot confirm patch status and a clean IOC scan result, treat that as a significant gap in your vendor security posture.
If you find indicators of compromise, rebuilding from clean backups is the safest path. Credential rotation alone is not sufficient — attackers establish SSH key persistence, hidden cron jobs, API tokens, and sudoers backdoors after initial access. A confirmed compromise requires full forensic review of all persistence mechanisms, not just a password reset.
The supply chain dimension of this incident is what makes it particularly significant for enterprise security teams. When a hosting provider’s control plane is compromised, every website, database, and email account under that management interface is affected — regardless of what individual tenants do with their own security controls. Organizations whose managed hosting providers cannot confirm the patch and a clean detection script result in writing should treat that as a warning sign requiring immediate escalation.
CybelAngel's surveillance du dark web identifies compromised hosting credentials and exposed customer data circulating in the underground markets where Sorry ransomware operators and cPanel exploit buyers operate. Our gestion de la surface d'attaque surfaces exposed cPanel interfaces visible from your perimeter before attackers scan for them. Talk to an analyst about what is currently visible from outside your organization.
FAQ
CVE-2026-41940 is a critical authentication bypass in cPanel & WHM with a CVSS score of 9.8. It allows unauthenticated attackers to gain root-level access by injecting CRLF sequences into a session file during login, bypassing both password and two-factor authentication without any valid credentials.
The Shadowserver Foundation reports at least 44,000 IP addresses compromised as of April 30, 2026. Censys identified 8,859 hosts with open directories containing .sorry encrypted files, with 7,135 confirmed as cPanel or WHM instances. Approximately 1.5 million cPanel instances are exposed to the internet according to Rapid7.
Yes. KnownHost confirmed exploitation dating to at least February 23, 2026 — more than two months before cPanel issued the patch on April 28. This was a true zero-day for the entire period between initial discovery and public disclosure.
Sorry is a Go-based Linux encryptor deployed through compromised cPanel installations. It uses ChaCha20 encryption protected by RSA-2048, appends the .sorry extension to files, wipes backups, and instructs victims to make contact via Tox messaging.
Run cPanel’s published detection script, which checks session files for injected authentication timestamps and embedded newlines in password fields. Also check for unexpected SSH keys, cron jobs, API tokens, and sudoers entries. If indicators are found, rebuild from a clean backup — do not attempt in-place remediation.
All cPanel and WHM versions after v11.40 are affected, plus WP Squared prior to version 136.1.7. Fixed releases are cPanel & WHM 11.136.0.5 and WP Squared 136.1.7. No workaround exists — patching is the only remediation.
