Critical cPanel flaw mass-exploited in "Sorry" ransomware attacks

CRITICAL CPANEL FLAW MASS-EXPLOITED IN SORRY RANSOMWARE ATTACKS

Overview

• A recently disclosed vulnerability in cPanel and WHM, tracked as CVE-2026-41940, has become the focus of a widespread exploitation campaign.
• The flaw enables an authentication bypass, allowing unauthorized access to control panels and facilitating subsequent malicious activity.
• In the wake of public disclosure, researchers observed a rapid shift into active exploitation, with threat actors deploying a Go-based Linux encryptor associated with the Sorry ransomware family.
• The campaign has targeted websites running cPanel/WHM, leading to encrypted data and the appearance of ransom notes demanding negotiation for decryption.

Technical Background: What are cPanel and WHM?

• WHM (WebHost Manager) provides server-level administrative control, while cPanel gives website-level administration, including access to website backends, email, and databases.
• The combination is widely used for Linux-based hosting environments, making any vulnerability in these components particularly impactful due to the potential reach across hosted sites.

The Vulnerability and Patch Timeline

• CVE-2026-41940 emerged as a critical authentication bypass flaw affecting both cPanel and WHM.
• An emergency security update addressing this vulnerability was released in late April 2026 to mitigate the bypass and reduce exposure to unauthorized access.
• After the patch, researchers reported ongoing exploitation in the wild, with attackers leveraging the flaw to breach servers and deploy payloads.

Exploitation Campaign: How the Attacks Unfolded

• Initial reports and corroborating sources indicated exploitation attempts dating back to late February, with a rapid acceleration following the public disclosure and patch availability.
• Security observers, including Shadowserver, identified a large-scale impact, noting tens of thousands of IP addresses running cPanel had been compromised in the ongoing attacks. The reported figure surpassed 44,000 compromised IPs in the observed window.
• The attackers used the vulnerability to gain control over affected servers and plant a Go-based Linux encryptor as part of the ransomware operation.

Ransomware Details: The Sorry Campaign

• The encryptor deployed by the attackers is designed for Linux environments and adds the extension .sorry to encrypted files.
• Encryption mechanics involve:
• The ChaCha20 stream cipher to encrypt file contents.
• An embedded RSA-2048 public key used to protect the encryption key.
• The expectation that the corresponding RSA-2048 private key is required to decrypt the files.
• Victims reportedly encounter a uniform ransom note stored as README.md within each folder containing encrypted data. The note provides a contact vector (via a secure messaging channel) and includes a distinctive transaction identifier used to coordinate with the threat actor.
• A specific identifier associated with the ransom note is present across multiple victims, underscoring the campaign’s centralized orchestration.

Evidence and Observations: What Has Been Seen in the Wild

• Multiple independent sources reported that websites were directly impacted by the Sorry ransomware campaign, with encrypted files and ransom notes appearing across affected sites.
• Forum discussions on security communities documented firsthand samples of encrypted files and the ransom note contents, reinforcing the reported method and scope.
• Public indicators included image compilations and lists of affected websites, cataloged by researchers and security outlets as part of ongoing tracking.
• An explicit note from researchers highlighted that the current campaign is distinct from a 2018 malware instance that also used the .sorry extension but was unrelated in code and actors.

Impact Scope: Who Is Affected

• The attacks targeted Linux-based hosting environments running cPanel and WHM, broadening exposure across numerous hosting providers and their customers.
• The scale of impact was underscored by the number of compromised IP addresses and the broad dissemination of affected websites across search results and security feeds.
• There is acknowledgment of cross-site implications, including potential data loss and the need for swift incident response by affected administrators and hosting providers.

Security Update and Guidance Context

• An emergency update for WHM and cPanel was issued to rectify the authentication bypass flaw, aiming to curb exploitation vectors and reduce risk to hosting environments.
• In industry discussions, researchers and security professionals stressed the urgency of applying available updates to mitigate the vulnerability, though the focus here remains on documenting the incident and its technical characteristics rather than prescribing steps.

Encryption and Decryption Considerations

• The Sorry ransomware campaign relies on robust cryptographic primitives to secure victims’ data:
• ChaCha20 for data encryption, which complicates offline data recovery without the correct key.
• RSA-2048 to protect the encryption key itself, creating a barrier to decryption without the corresponding private key.
• Industry experts have indicated that, given the cryptographic design, decryption is not feasible without access to the private RSA-2048 key, making prevention and rapid patching critical to avoid data loss.
• The uniform ransom note structure across victims, along with a fixed contact channel and identifier, suggests a centralized operation model with standardized negotiation workflows.

Related Context and Continuities

• The current Sorry campaign is part of a broader evolution in ransomware, where attackers leverage newly disclosed vulnerabilities to gain initial access and deploy tailored encryptors for stealthy, rapid data encryption.
• Historical references note earlier incidents using the same file extension but highlight that this campaign represents a distinct threat actor and toolset, not a direct continuation of the 2018 HiddenTear-based activity.
• Ongoing monitoring by security communities continues to track exploit activity, compromised assets, and the reach of affected websites as more victims come online and more data becomes available.

Notes on Public Reporting and Evidence

• Public reporting channels, including security news outlets and community forums, have provided corroborated anecdotes and technical details about the campaign, including sample ransom notes and encrypted file behaviors.
• Visual compilations and lists of affected websites have circulated in association with the reporting efforts, illustrating the breadth of impact across the web host ecosystem.
• Researchers emphasized the rapid evolution of the attack landscape in response to patch releases and defensive measures, with continued exploration of indicators of compromise and attacker infrastructure.

Summary of Key Points

• CVE-2026-41940 is a critical authentication bypass in cPanel/WHM that has been aggressively exploited in a mass campaign.
• The Sorry ransomware uses Linux-targeted encryption with ChaCha20 and RSA-2048, encrypting files and appending the .sorry extension.
• A large number of hosting environments and websites running cPanel/WHM have been affected, with tens of thousands of IPs reported as compromised in the period following disclosure.
• The ransom mechanism hinges on a consistent ransom note and a centralized avenue for contact and negotiation, using a unique identifier embedded in each victim’s folder.
• Emergency updates to address the vulnerability were released, marking a turning point in defense, though the campaign’s momentum underscored the need for vigilant monitoring and rapid response by administrators and hosting providers.