Critical cPanel Flaw Exploited in Widespread "Sorry" Ransomware Attacks
A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940) is being actively exploited to deploy the "Sorry" ransomware, targeting Linux-based web hosting servers. The flaw, patched in an emergency update this week, allows attackers to gain unauthorized access to control panels managing websites, databases, and webmail.
Exploitation attempts date back to late February, with attacks escalating rapidly after the vulnerability was disclosed. Security firm Shadowserver reports that at least 44,000 IP addresses running cPanel have been compromised. Threat actors began mass-exploiting the flaw on Thursday, deploying a Go-based Linux encryptor that appends the ".sorry" extension to encrypted files.
The ransomware uses ChaCha20 encryption, with keys secured via an embedded RSA-2048 public key, making decryption impossible without the attacker’s private key. Victims receive a ransom note (README.md) directing them to contact the threat actor via Tox (ID: 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724). Hundreds of compromised sites have already been indexed by Google, indicating widespread impact.
This campaign is unrelated to a 2018 ransomware operation that also used the ".sorry" extension. Security experts warn that exploitation is expected to intensify in the coming days.
cPanel cybersecurity rating report: https://www.rankiteo.com/company/cpanel
"id": "CPA1777760619",
"linkid": "cpanel",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '44,000+ IP addresses '
'compromised',
'industry': 'Web Hosting/IT Services',
'type': 'Web Hosting Servers'}],
'attack_vector': 'Authentication Bypass Vulnerability (CVE-2026-41940)',
'data_breach': {'data_encryption': 'ChaCha20 with RSA-2048 public key',
'sensitivity_of_data': 'High (files on web hosting servers)',
'type_of_data_compromised': "Encrypted files ('.sorry' "
'extension)'},
'date_detected': '2024-02-01',
'description': 'A critical authentication bypass vulnerability in cPanel and '
'WHM (CVE-2026-41940) is being actively exploited to deploy '
"the 'Sorry' ransomware, targeting Linux-based web hosting "
'servers. The flaw allows attackers to gain unauthorized '
'access to control panels managing websites, databases, and '
'webmail. The ransomware uses ChaCha20 encryption with keys '
'secured via an embedded RSA-2048 public key, making '
'decryption impossible without the attacker’s private key. '
'Victims receive a ransom note directing them to contact the '
'threat actor via Tox.',
'impact': {'data_compromised': "Files encrypted with '.sorry' extension",
'operational_impact': 'Unauthorized access to control panels '
'managing websites, databases, and webmail',
'systems_affected': 'Linux-based web hosting servers running '
'cPanel/WHM'},
'initial_access_broker': {'entry_point': 'Authentication Bypass Vulnerability '
'(CVE-2026-41940)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Patch management, enhanced '
'monitoring for unauthorized '
'access',
'root_causes': 'Unpatched critical vulnerability '
'(CVE-2026-41940) in cPanel/WHM'},
'ransomware': {'data_encryption': True,
'ransomware_strain': 'Sorry Ransomware (Go-based Linux '
'encryptor)'},
'recommendations': 'Apply the emergency patch for CVE-2026-41940 immediately '
'to prevent exploitation.',
'references': [{'source': 'Shadowserver'}],
'response': {'remediation_measures': 'Emergency patch for CVE-2026-41940',
'third_party_assistance': 'Shadowserver (security firm)'},
'title': "Critical cPanel Flaw Exploited in Widespread 'Sorry' Ransomware "
'Attacks',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2026-41940'}