CVE-2026-41940: “Sorry” Ransomware Mass-Exploits Critical cPanel Authentication Bypass, 44,000 Servers Compromised
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
CVE-2026-41940: “Sorry” Ransomware Mass-Exploits Critical cPanel Authentication Bypass, 44,000 Servers Compromised
A pre-authentication bypass vulnerability in cPanel & WHM has been weaponized by multiple independent threat groups, deploying “Sorry” ransomware and Mirai botnet variants across tens of thousands of servers — with zero-day exploitation dating back to February 23, 2026.
CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel & WHM affecting all versions from 11.40 through 136.0.4. The flaw resides in the cpsrvd daemon’s handling of the HTTP Authorization header: a logical flaw allows attackers to inject arbitrary credentials into the session via a crafted CRLF injection payload, impersonating the root user without any valid credentials. cPanel controls an estimated 94% of the web hosting control panel market and manages approximately 70 million domains globally, amplifying the potential impact significantly.
The vulnerability was discovered by watchTowr Labs on April 22, 2026, after it had already been exploited in the wild as a zero-day since at least February 23, 2026 — a window of approximately 66 days before a patch was available. cPanel released an emergency patch on April 28 and publicly disclosed the vulnerability on April 29. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30.
Security researchers have observed a consistent post-exploitation playbook executed with minimal HTTP requests — as few as four, according to community analysis — requiring no credentials at any stage:
-
1Scanning for exposed cPanel portsAttackers scan the internet for open cPanel management ports (2083, 2087, 2095, 2096) to identify unpatched, internet-facing instances across approximately 1.5 million exposed cPanel deployments.
-
2CRLF injection to bypass authenticationThe core of the attack. Attackers construct a malicious CRLF injection payload targeting the
cpsrvddaemon’s Authorization header handling flaw, injecting arbitrary credentials into the session file and directly impersonating the root user — no username or password required. -
3Deploying “Sorry” ransomwareAfter obtaining root access, attackers deploy the Sorry ransomware — a Go-based Linux encryptor targeting web roots, databases, and customer data under the compromised cPanel instance. Files are appended with the
.sorryextension and a ransom note (e.g.,please_read_me.txt) is dropped. Backups are actively wiped to eliminate recovery paths. -
4Deploying Mirai botnet variantEncryption alone is not the end goal. Threat actors simultaneously deploy Mirai variants (including “nuclear.x86”), conscripting encrypted servers into DDoS botnets — a two-pronged monetization strategy combining ransom demands with botnet infrastructure.
Note: “Sorry” is a ransomware campaign name adopted by multiple independent threat actors, not a single organized group. The ransomware shares these technical characteristics across observed deployments:
vssadmin delete shadows /all /quiet to eliminate all Windows Volume Shadow Copies, closing the “restore from backup” recovery path.host_hash per victim. This allows operators to accurately distinguish victims in the backend and prevent confusion during ransom negotiations..sorry-suffixed files, of which 7,135 were confirmed cPanel or WHM instances. Exploitation was confirmed across government, military, MSP, and shared hosting environments globally.
-
Verify and patch immediately. Check your version:
/usr/local/cpanel/cpanel -V. If below 136.0.4, update now:/scripts/upcp --force. If using a hosting provider, verify patch status directly with them. -
Remove cPanel ports from public internet exposure. Restrict access to ports 2083, 2087, 2095, and 2096 using a VPN or IP allowlist. This is the single most effective protection layer — faster to implement than patching and effective even against unpatched instances.
-
Check for indicators of compromise. Search for files with the
.sorryextension or ransom notes namedplease_read_me.txt. Run the official IoC scan script provided by cPanel. If your server was internet-facing and unpatched after February 23, treat it as potentially compromised until a full audit is completed. -
Harden your backup strategy. Store critical backups offline or on immutable storage (write-once). Ransomware with root access can and will delete accessible backup repositories. Offline or immutable backups are the only reliable recovery option against this threat model.
-
Audit all remote management credentials. In addition to CVE-2026-41940, threat actors have been observed conducting brute-force attacks via weak RDP passwords. Rotate credentials on all remote management ports and disable any that are unnecessary. Enable multi-factor authentication where available.
-
Enable WAF rules. Cloudflare released an emergency WAF rule for CVE-2026-41940 on April 30. If your cPanel server’s sites run behind Cloudflare or another WAF provider, confirm the CVE-2026-41940 rule is active. This provides a network-layer mitigation — not a substitute for patching.
The CVE-2026-41940 exploitation wave demonstrates the compounding danger of a pre-authentication remote code execution vulnerability paired with automated ransomware deployment: tens of thousands of servers compromised within hours of public disclosure, with a 66-day zero-day window meaning many hosts were silently breached long before any patch existed.
The “Sorry” ransomware campaign illustrates a sophisticated dual-monetization strategy — simultaneous ransom demands and botnet conscription — that maximizes attacker ROI from each compromised host. With cPanel controlling the vast majority of the shared hosting market, the downstream impact extends beyond the directly compromised servers to every website, database, and customer account hosted beneath them.
Patch, restrict access, audit for compromise, and make your backups ransomware-proof. Don’t wait until .sorry appears in your directory listings before acting.
