A critical authentication bypass vulnerability in cPanel and WHM is being actively exploited by attackers to deploy "Sorry" ransomware, resulting in the compromise of over 44,000 server IP addresses.

Key Points

• The vulnerability, tracked as CVE-2026-41940, allows unauthorized access to web hosting control panels.
• Security firm Shadowserver reports that at least 44,000 cPanel instances have been compromised since exploitation began in late February.
• Attackers are deploying a Go-based Linux encryptor that uses the ChaCha20 stream cipher and RSA-2048 encryption to lock files.
• Victims receive a README.md ransom note instructing them to contact threat actors via Tox to negotiate payment.
• Developers have released an emergency security update for WHM and cPanel that all administrators must install immediately to prevent further data loss.

Why it Matters

This widespread campaign poses a significant threat to website owners and hosting providers who rely on cPanel for server management. Because the encryption is currently irreversible without the private RSA key, immediate patching is the only effective defense against total data loss and service disruption.