Full Report
A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. [...]
Analysis Summary
# Incident Report: Mass-Exploitation of cPanel Authentication Bypass (CVE-2026-41940)
## Executive Summary
A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940) is being mass-exploited to deploy "Sorry" ransomware. The campaign, which began as zero-day activity in February 2026, has compromised at least 44,000 IP addresses, resulting in the encryption of web server data using a Go-based Linux encryptor. Recovery currently requires the threat actor's private RSA-2048 key, making immediate patching the only viable defense.
## Incident Details
- **Discovery Date:** Late February 2026 (Initially detected); May 2, 2026 (Active mass-exploitation reported)
- **Incident Date:** February 2026 – Ongoing
- **Affected Organization:** Approximately 44,000+ web hosting accounts/servers
- **Sector:** Web Hosting / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2026
- **Vector:** Exploitation of CVE-2026-41940 (Authentication Bypass)
- **Details:** Attackers exploited a flaw in WHM and cPanel that allowed unauthorized access to administrative backends without valid credentials.
### Lateral Movement
- **Details:** Access to WHM (server-level) or cPanel (site-level) allows attackers to execute commands and navigate directories with administrative privileges on the Linux host.
### Data Exfiltration/Impact
- **Details:** Discovery of the "Sorry" ransomware deployment. Attackers used a Go-based Linux encryptor to lock website files, databases, and webmail using ChaCha20 encryption. No specific data exfiltration was confirmed, but administrative access makes theft highly likely.
### Detection & Response
- **April 28, 2026:** cPanel released an emergency security update.
- **May 2, 2026:** Shadowserver and BleepingComputer reported mass-exploitation and identified the "Sorry" ransomware campaign.
- **Ongoing:** Security researchers confirmed that RSA-2048 encryption renders files unrecoverable without the attacker's key.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-41940 (Critical Authentication Bypass in cPanel/WHM).
- **Persistence:** Unauthorized administrative access to web hosting control panels.
- **Privilege Escalation:** Inherent to the vulnerability (allows administrator-level access).
- **Defense Evasion:** Use of a zero-day vulnerability prior to public disclosure.
- **Credential Access:** Bypassing authentication entirely rather than stealing credentials.
- **Discovery:** Mass-scanning for vulnerable cPanel/WHM instances.
- **Lateral Movement:** Transition from web control panel access to shell execution on the Linux server.
- **Collection:** Targeting of website source code, databases, and configuration files.
- **Exfiltration:** Not explicitly detailed, but implied via administrative control.
- **Impact:** Encryption of files using ChaCha20 stream cipher; RSA-2048 for key protection; appending ".sorry" extension.
## Impact Assessment
- **Financial:** High (Ransom demands and loss of business for 44k+ sites).
- **Data Breach:** High risk; administrative access allows full visibility of customer data and databases.
- **Operational:** Severe disruption; thousands of websites rendered offline or inaccessible due to encrypted backends.
- **Reputational:** High for hosting providers failing to patch critical management software.
## Indicators of Compromise
- **Network indicators:** Activity involving unauthorized access to ports commonly associated with cPanel/WHM (2082, 2083, 2086, 2087).
- **File indicators:**
- `README.md` (Ransom note)
- Files with `.sorry` extension
- SHA-256: `2fc0a056fd4eff5d31d06c103af3298d711f33dbcd5d122cae30b571ac511e5a` (Linux Encryptor)
- **Behavioral indicators:** Execution of Go-based binaries on Linux web servers; presence of Tox ID `3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724`.
## Response Actions
- **Containment:** Servers were disconnected or isolated to prevent further encryption.
- **Eradication:** Installation of the cPanel/WHM emergency security update (WP2 Security Update).
- **Recovery:** Restoration of data from off-site backups (as decryption is impossible without the private key).
## Lessons Learned
- **Patch Management:** The lag between zero-day exploitation (February) and public awareness (May) highlights the danger of exposed management interfaces.
- **Architecture:** Web hosting control panels should ideally be restricted via IP allow-lists or VPNs to prevent mass-scanning exploitation.
- **Backup Integrity:** Ransomware targeting the host level can often destroy local backups; immutable off-site backups are essential.
## Recommendations
- **Immediate Action:** Update cPanel and WHM to the latest version to mitigate CVE-2026-41940.
- **Network Security:** Restrict access to WHM/cPanel login ports to trusted IP addresses only.
- **Monitoring:** Monitor server logs for unusual logins or file system activity typical of high-speed encryption.
- **Backup:** Implement the 3-2-1 backup rule with at least one offline, immutable copy.