A critical authentication bypass flaw in cPanel and WHM, tracked as CVE-2026-41940, is being mass-exploited to deploy the "Sorry" ransomware against Linux web hosting servers. Internet security watchdog Shadowserver reports that at least 44,000 IP addresses running cPanel have already been compromised, with hundreds of encrypted websites indexed in Google search results.

What Happened

An emergency patch for WHM and cPanel was released earlier this week to address a critical authentication bypass that allows unauthenticated attackers to access hosting control panels. Shortly after disclosure, researchers confirmed the flaw had been exploited in the wild as a zero-day, with the earliest activity traced back to late February 2026.

Beginning Thursday, multiple sources told BleepingComputer that threat actors pivoted from quiet exploitation to mass deployment of a Go-based Linux encryptor branded "Sorry." Victim reports surfaced on the BleepingComputer forums almost immediately, with widespread compromises across shared hosting environments.

What Was Taken

The campaign is primarily destructive rather than extortion-by-exfiltration. Files on impacted servers are encrypted with the ".sorry" extension and rendered inaccessible. Encrypted assets include:

The ransomware uses the ChaCha20 stream cipher, with the per-victim symmetric key wrapped under an embedded RSA-2048 public key. Ransomware analyst Rivitna confirmed that decryption is impossible without the attacker-held RSA-2048 private key.

Why It Matters

cPanel underpins a substantial share of the global shared and reseller hosting market, meaning a single unpatched server can cascade into hundreds of breached customer websites. The combination of an authentication bypass, an active zero-day window dating back to February, and a Linux-targeted encryptor creates an unusually high blast radius for small businesses, agencies, and managed hosting providers who often lack mature incident response capability.

The campaign also illustrates a growing trend of opportunistic ransomware operators piggybacking on critical hosting-stack CVEs the moment patches drop, racing administrators who rely on vendor auto-update schedules.

The Attack Technique

Attackers exploit CVE-2026-41940 to bypass authentication on exposed WHM and cPanel interfaces, granting administrative access to the server's web hosting backend. From there, the operators drop a Go-compiled Linux ELF binary that walks the file system and encrypts site content, databases, and webroots with ChaCha20.

A README.md ransom note is dropped in each affected directory, instructing victims to negotiate via Tox using the static identifier 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724. The Tox ID and note text are reused across all observed victims, suggesting a single operator or small affiliate cluster rather than a broad RaaS program. Despite the shared ".sorry" extension, this campaign is unrelated to the 2018 HiddenTear-based "sorry" variant.

What Organizations Should Do

  1. Apply the emergency cPanel and WHM patches immediately on every server, including dev, staging, and reseller nodes.
  2. Audit cPanel and WHM access logs back to late February 2026 for unauthenticated session creation, unusual API calls, and unfamiliar admin logins.
  3. Hunt for the Go-based Linux encryptor, files with the ".sorry" extension, and README.md ransom notes in webroots and home directories.
  4. Restrict WHM and cPanel administrative interfaces to allowlisted IPs or VPN, and require MFA for all reseller and root-level accounts.
  5. Validate that backups are stored off-host and immutable, since on-server backups are encrypted alongside live data in this campaign.
  6. Block outbound Tox traffic at egress where feasible and alert on connection attempts to the published Tox ID infrastructure.

Sources: Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks