If your business runs a website on a Linux web server—or uses a hosting provider that runs cPanel—you need to read this now. A critical security vulnerability in cPanel & WHM, the world’s most widely deployed web hosting control panel, is being actively mass-exploited by cybercriminals to deploy ransomware that encrypts every website, database, and file on affected servers. Over 44,000 servers have already been compromised, and the attack requires no technical expertise to execute.

This vulnerability, identified as CVE-2026-41940, was publicly disclosed on April 28, 2026, added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 3, 2026, and has since become one of the most actively exploited vulnerabilities in recent memory. A patch is available and must be applied immediately.

What Happened

CVE-2026-41940 is an authentication bypass vulnerability affecting cPanel & WHM—the control panel software used by an estimated 1.5 million internet-facing servers, the majority of which belong to small businesses and web hosting customers.

Technical Details

• CVE ID: CVE-2026-41940
• CVSS Score: 9.8 (Critical) — CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Vulnerability Type: Missing Authentication for Critical Function / CRLF Injection
• Affected Software: cPanel & WHM versions after 11.40 through multiple branches prior to fixed releases (see Remediation section)
• Also Affected: WP Squared (WP2) prior to version 136.1.7; DNSOnly (all versions bundled with affected cPanel & WHM)
• Patch Released: April 28, 2026 (cPanel official security update)
• CISA KEV Added: May 3, 2026
• Proof-of-Concept Published: April 29, 2026 (watchTowr Labs)
• Zero-Day Exploitation Began: Approximately February 23, 2026 (pre-disclosure)

How the Attack Works

The vulnerability exists in the way cPanel’s cpsrvd daemon handles login sessions. An attacker sends a specially crafted HTTP request with a malformed authorization header to the cPanel login endpoint. By injecting raw
(CRLF) characters into the header, the attacker can insert arbitrary session properties—including user=root, hasroot=1, and tfa_verified=1—directly into the server’s session file. When cPanel re-parses that session file, it treats the injected fields as legitimate authentication data, granting the attacker full root-level administrative access.

The entire exploit chain requires no credentials, no prior access, and executes in a single HTTP request sequence. A public proof-of-concept was released the day after the patch, meaning automated mass-scanning and exploitation began almost immediately.

The “Sorry” Ransomware Campaign

The most widespread threat actor group exploiting this vulnerability is deploying “Sorry” ransomware—a Go-based Linux encryptor that uses ChaCha20 encryption with RSA-2048 key protection. Once deployed, the ransomware encrypts all files on the server (websites, databases, emails, backups stored locally) and appends a .sorry extension to every affected file. A README.md ransom note is left in every directory demanding payment via Tox. There is currently no free decryption available for Sorry ransomware—victims must either pay the ransom or restore from a clean, offsite backup.

Additionally, other threat actor groups are exploiting the same vulnerability to install Mirai botnet variants (for DDoS attacks) and to conduct state-sponsored espionage operations, underscoring how broadly this vulnerability is being weaponized.

Who Is Affected

This vulnerability affects any organization running or relying on cPanel & WHM for web hosting management. The industries and business types most at risk include:

• Small and medium-sized businesses running their own web servers with cPanel
• E-commerce businesses (WooCommerce, Magento, OpenCart) on shared or VPS Linux hosting
• Marketing and digital agencies managing multiple client websites
• Law firms and professional services with self-hosted web infrastructure
• Healthcare practices with self-managed patient portals or web properties handling sensitive data
• Real estate and property management firms with web-managed listings portals
• Restaurants and hospitality businesses with self-hosted reservation or online ordering systems
• Web hosting resellers and micro-MSPs offering hosting services to clients
• Non-profits and educational institutions on budget hosting plans
• Any business using shared Linux web hosting where the hosting provider uses cPanel/WHM

Approximately 1.5 million cPanel & WHM instances are internet-accessible. According to Shadowserver Foundation data, over 44,000 servers have already been compromised, with Censys independently confirming at least 8,859 hosts actively hosting encrypted .sorry files.

Impact on Small & Medium Businesses

For a small or medium business, a successful exploit of CVE-2026-41940 means complete loss of your web presence and potentially all customer data. Here’s what that looks like in practice:

• Your entire website is encrypted. Every HTML file, WordPress installation, theme, plugin, and uploaded media is locked with Sorry ransomware’s ChaCha20 encryption—unrecoverable without the attacker’s key or a clean backup.
• All databases are compromised. Customer records, order histories, contact forms, appointment data, and proprietary business information stored in MySQL or MariaDB are fully accessible—and encrypted—by the attacker.
• Every email account on the server is exposed. Hosted email, mailing lists, and any emails stored server-side can be read, exfiltrated, or deleted.
• Data breach notification obligations may apply. If customer PII (names, addresses, payment information, medical data) is exposed, your business may be legally required to notify affected individuals and regulators—regardless of business size.
• Recovery without a backup is expensive and uncertain. Server rebuilds, data restoration, forensic investigation, and potential regulatory fines can cost tens of thousands of dollars—often exceeding what SMBs have budgeted for IT recovery.
• Downtime hits revenue directly. For an e-commerce business or a service company dependent on web-based bookings, even 24–72 hours of downtime during a server rebuild represents real, measurable revenue loss.

What makes this particularly dangerous for SMBs is the zero-skill barrier to exploitation. The public proof-of-concept means attackers don’t need to be sophisticated—automated tools are already scanning the internet for vulnerable cPanel instances and compromising them without human involvement. Opportunistic cybercriminals are striking at scale.

Remediation Checklist

Take the following steps immediately, in order of priority:

1. Apply the cPanel patch immediately. Log in to WHM and navigate to Home > cPanel > Update Preferences. Set the update tier to CURRENT or RELEASE, then run the update from the command line as root: /scripts/upcp --force
2. Verify the patch was applied. Confirm your cPanel version is at or above the fixed release for your branch: /usr/local/cpanel/cpanel -V. Fixed versions include: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5.
3. Check for active compromise indicators. Inspect /var/cpanel/sessions/raw/ for suspicious session files containing user=root, hasroot=1, tfa_verified=1, or multiple pass= lines. Any such files indicate your server has been actively exploited.
4. If compromise is detected, take the server offline immediately. Block external access to ports 2082, 2083, 2086, and 2087 (cPanel/WHM web ports). Do not attempt to clean the server in place—treat it as fully compromised and initiate a fresh rebuild from a clean backup.
5. Rotate all credentials. Change every administrator and root-level password, rotate all SSH keys, and update all database credentials for every account on the server.
6. Contact your hosting provider if you use managed hosting. If a provider manages your cPanel environment, contact them directly to confirm the patch has been applied. Do not assume it has been done automatically.
7. Block cPanel/WHM ports at the firewall if patching is delayed. As a temporary workaround, restrict TCP ports 2082, 2083, 2086, and 2087 to trusted IP addresses only at the network or firewall level.
8. Enable two-factor authentication on all admin accounts. In WHM, go to Security Center > Two-Factor Authentication and enforce 2FA for all administrative users.
9. Review hosted websites for unauthorized modifications. Check all hosted files for unusual changes, new files (especially those with a .sorry extension), or README.md ransom notes.
10. Enable automatic security updates for cPanel. In WHM, go to Update Preferences > Automatic Updates to ensure future critical patches are applied without delay.
11. Restrict WHM/cPanel access to known IP addresses. Use WHM > Security Center > Host Access Control to whitelist only authorized management IPs, preventing unauthorized access even if future vulnerabilities arise.
12. Deploy a web application firewall (WAF) or IDS/IPS. Place a WAF or intrusion detection/prevention system in front of your cPanel-hosted infrastructure to detect and block exploit attempts.

Strategic Recommendations

Beyond the immediate patch, this incident highlights several longer-term security posture improvements every SMB should consider:

• Never expose control panel interfaces to the public internet. WHM and cPanel admin ports should always be restricted to known management IPs or accessed through a VPN. The “convenience” of leaving them open comes with a serious risk profile.
• Maintain offline or immutable offsite backups. Sorry ransomware specifically targets locally stored backups. Your only guaranteed recovery path is a clean, tested backup stored in a separate environment—cloud backup services, offsite NAS, or managed backup solutions that are not accessible from the compromised server.
• Establish a formal patch management cadence. CVE-2026-41940 had a public proof-of-concept exploit within 24 hours of the patch release. Organizations that hadn’t patched within that window were immediately at risk. A managed patching process eliminates this gap.
• Consider managed hosting with a security-conscious provider. If managing a server’s security posture is beyond your team’s capacity, working with a managed service provider that handles patching, monitoring, and incident response reduces your exposure significantly.
• Adopt a vulnerability management program. Systematic scanning for unpatched software across all business systems ensures critical vulnerabilities are caught and remediated before attackers can exploit them. This is no longer optional for businesses with any internet-facing infrastructure.
• Train your team to recognize and report anomalies. Ransomware infections often leave early indicators—unusual server behavior, slow website performance, unexpected admin emails. Employees who know what to look for can trigger faster incident response.

How Lone Wolf Networks Can Help

Managing the security of web servers, control panels, and hosted infrastructure is exactly the kind of ongoing work that falls through the cracks for small businesses focused on running their operations. Lone Wolf Networks provides managed IT and cybersecurity services specifically designed for SMBs in the Temecula Valley and surrounding areas—services that directly address the vulnerabilities exploited in attacks like this one.

• Vulnerability Management: We systematically scan your environment for unpatched software and critical vulnerabilities, ensuring issues like CVE-2026-41940 are identified and remediated before attackers can exploit them—not after.
• 24/7 Threat Monitoring: Our continuous monitoring detects anomalous behavior, unauthorized access attempts, and active intrusion indicators in real time, so we can respond to threats before they become disasters.
• Cloud Backup & Recovery: We implement offsite, immutable cloud backup solutions that remain inaccessible to ransomware—ensuring you always have a clean recovery point even in a worst-case scenario.
• Endpoint Detection & Response (EDR): Modern EDR solutions can detect and contain ransomware activity on servers and endpoints before encryption completes, reducing the blast radius of an active attack.
• Network Security (DNS/IPS/IDS): We deploy intrusion detection and prevention systems that can identify and block exploit attempts—including cPanel-targeting traffic—at the network level.
• vCISO / IT Strategy: For SMBs without a dedicated IT security function, our virtual CISO services provide the strategic guidance to build a defensible security posture without hiring a full-time security team.

If you’re unsure whether your web server infrastructure is exposed, or if you want a security review of your current hosting environment, contact us today for a no-obligation consultation. You can also review our full managed IT security services and service plans to find the right level of protection for your business.

References

1. BleepingComputer — Critical cPanel Flaw Mass-Exploited in ‘Sorry’ Ransomware Attacks (May 2, 2026)
2. Help Net Security — Multiple Threat Actors Actively Exploit cPanel Vulnerability (CVE-2026-41940) (May 4, 2026)
3. SecurityWeek — Over 40,000 Servers Compromised in Ongoing cPanel Exploitation (May 4, 2026)
4. Picus Security — CVE-2026-41940 Explained: The cPanel & WHM Authentication Bypass That Hit 1.5M Servers (May 1, 2026)
5. Rapid7 — ETR: CVE-2026-41940 — cPanel & WHM Authentication Bypass (April 29, 2026)
6. cPanel Official Advisory — Security: CVE-2026-41940 — cPanel & WHM / WP2 Security Update 04-28-2026 (April 28, 2026)
7. NIST NVD — CVE-2026-41940 Detail (April 30, 2026)
8. Cato Networks — Threat Brief: CVE-2026-41940 — Critical cPanel & WHM Authentication Bypass Actively Exploited (May 1, 2026)
9. CISA — Known Exploited Vulnerabilities Catalog (May 9, 2026)
10. Bitsight — CVE-2026-41940 cPanel and WHM: Details, Next Steps (May 2, 2026)