Critical cPanel Authentication Bypass (CVE-2026-41940) Mass-Exploited in “Sorry” Ransomware Campaign
Summary
A critical authentication bypass vulnerability in cPanel & WHM, tracked as CVE-2026-41940, is being actively mass-exploited by threat actors deploying the “Sorry” ransomware strain. The flaw affects cPanel software versions after 11.40 — which covers the vast majority of installations worldwide — and allows attackers to bypass authentication entirely to gain administrative access to web hosting control panels.
Exploitation attempts have been traced back to late February 2026, meaning attackers had roughly two months of undetected access before the vulnerability became publicly known. cPanel has since issued an emergency update to patch the flaw, but the damage window is significant. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and active threat.
The “Sorry” ransomware payloads deployed through this vector encrypt hosted websites, databases, and email systems, effectively holding entire hosting environments hostage. Given that cPanel manages millions of websites globally, the blast radius of this campaign is potentially enormous.
Sources
- BleepingComputer — Critical cPanel flaw mass-exploited in Sorry ransomware attacks
- Cato Networks — Threat Brief: CVE-2026-41940
Commentary
This is a nightmare scenario for the shared hosting industry. cPanel is the backbone of budget and mid-tier web hosting — millions of small businesses, personal sites, and even some enterprise workloads run on it. An auth bypass that was silently exploited for two months before disclosure means there are almost certainly compromised servers that haven’t been identified yet.
The “Sorry” branding is almost mocking. If you’re running cPanel, patch immediately and assume breach until proven otherwise. Audit your environments, check for unauthorized admin accounts, and verify backup integrity. The hosting providers who dragged their feet on this one are going to have a very bad quarter.
