Hackers Exploit cPanel Bug To Hijack Thousands Of Websites In “Sorry” Ransomware Surge

A critical vulnerability in cPanel and WHM is now being widely exploited, allowing attackers to seize control of servers and deploy ransomware. Despite patches being released, thousands of websites have already been compromised in ongoing attacks.
 

TL;DR

 

• A cPanel flaw (CVE-2026-41940) is actively exploited in the wild
• Over 550,000 servers remain potentially vulnerable globally
• Around 2,000 instances confirmed compromised, previously as high as 44,000
• Attackers deploy “Sorry” ransomware encrypting Linux systems
• Exploitation traces back to February, before public disclosure

 

cPanel Vulnerability Enables Full Server Takeover Through Authentication Bypass

The issue, tracked as CVE-2026-41940, stems from a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM). These tools are widely used for Linux-based server and website management, making the flaw particularly dangerous at scale.

By exploiting this bug, attackers can gain unauthorized access to control panels, effectively taking full control of servers. This allows them to manipulate websites, access databases, and deploy malicious payloads without needing valid credentials.

An emergency patch was released to address the flaw, but exploitation had already begun. Reports indicate that attackers were actively leveraging the vulnerability as a zero-day, with activity dating back to late February, well before public disclosure.

 

Mass Exploitation Campaign Hits Thousands of Websites Globally

Security monitoring organization Shadowserver reports that over 550,000 servers remain exposed, with thousands already compromised. While current confirmed breaches stand at around 2,000 instances, earlier figures showed as many as 44,000 affected systems, highlighting the scale and سرعة of the attack wave.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching. Government agencies were given a strict deadline to secure their systems, though confirmation of compliance remains unclear.

Researchers believe these attacks may have been ongoing silently for weeks, allowing threat actors to establish footholds before detection.
 

“Sorry” Ransomware Targets Linux Servers With Advanced Encryption

Once inside a system, attackers deploy a Go-based ransomware strain dubbed “Sorry.” This malware specifically targets Linux environments, encrypting files and appending a “.sorry” extension to affected data.

The encryption mechanism uses the ChaCha20 stream cipher, with keys secured by an embedded RSA-2048 public key. According to experts, recovery without the corresponding private key is virtually impossible, leaving victims with limited options.

Each infected directory contains a ransom note named README.md, instructing victims to contact attackers via Tox messaging to negotiate payment. Some compromised websites briefly displayed these ransom messages publicly, with search engines indexing dozens of affected pages before they were restored.
   

Ongoing Threat Highlights Risks of Delayed Patch Adoption

Despite the availability of a fix, the continued presence of hundreds of thousands of vulnerable servers underscores a recurring issue in cybersecurity, delayed patch deployment.

The scale of this campaign demonstrates how quickly attackers can operationalize newly discovered vulnerabilities, especially in widely used infrastructure software like cPanel.

With exploitation still active, organizations running affected systems face an urgent need to patch, audit access, and monitor for signs of compromise. The incident serves as another reminder that even a short delay in response can lead to widespread damage across the internet ecosystem.