Active Exploitation of CVE-2026-41940 Allows Attackers to Breach Hosting Panels, Encrypt Data, and Take Over Websites at Scale
A newly disclosed vulnerability in cPanel & WHM is being actively exploited in widespread ransomware attacks, leading to the compromise of tens of thousands of servers worldwide.
The flaw, tracked as CVE-2026-41940, allows attackers to bypass authentication and gain unauthorized access to hosting control panels.
What’s Happening
Shortly after an emergency patch was released, security researchers observed active exploitation in the wild, with evidence suggesting attacks began as early as late February 2026.
According to internet monitoring sources, over 44,000 IP addresses running cPanel have already been compromised, making this one of the largest active hosting-related attacks in recent months.
How the Attack Works
Attackers exploit the authentication bypass to gain access to hosting environments. Once inside, they:
- Take control of the hosting panel
- Deploy a Linux-based ransomware payload
- Encrypt website files and server data
- Leave ransom notes across directories
The ransomware used in these attacks is known as “Sorry” ransomware, specifically designed to target Linux-based servers.
About the “Sorry” Ransomware
- Appends “.sorry” extension to encrypted files
- Uses ChaCha20 encryption for file locking
- Protects keys with RSA-2048 encryption
- Drops a ransom note (README.md) in affected directories
- Demands payment via Tox messaging platform
Security experts warn that decryption is not possible without the attacker’s private RSA key, making recovery extremely difficult without backups.
Scale of Impact
- Thousands of websites already compromised
- Hundreds of infected sites indexed publicly
- Attacks continuing to grow rapidly
This indicates automated mass exploitation, where attackers scan the internet for vulnerable cPanel instances and deploy ransomware at scale.
Why This Attack Is Critical
This is not just a vulnerability—it’s an active ransomware campaign targeting core internet infrastructure.
Key concerns include:
- Hosting providers and shared servers at risk
- Multi-tenant environments exposed
- Potential for mass website defacement and data loss
- Business disruption across industries
???? A single vulnerable server can impact hundreds of websites and customers simultaneously.
Immediate Actions Recommended
Organizations using cPanel & WHM should act without delay:
- Apply the latest security updates immediately
- Audit systems for unauthorized access
- Check for encrypted files or ransom notes
- Restore from clean backups if compromised
- Restrict access to management interfaces
- Enable Multi-Factor Authentication (MFA)
Key Takeaway
➡️ This incident highlights how quickly attackers weaponize newly disclosed vulnerabilities.
In this case, a single authentication bypass flaw has already led to mass ransomware deployment across thousands of servers.
Organizations that delay patching—even by a few days—are at immediate risk of compromise.