At least 44,000 IP addresses running cPanel have been compromised in an active campaign that exploits a newly disclosed authentication-bypass flaw tracked as CVE-2026-41940.
CVE-2026-41940 and the emergency cPanel/WHM update
This week cPanel released an emergency update for WHM and cPanel to fix a critical authentication bypass that permits attackers to access control panels. WHM and cPanel are Linux-based web hosting control panels—WHM providing server-level control and cPanel providing administrator access to website backends, webmail, and databases. The vendor update was issued after reports that the vulnerability was being used in the wild as a zero-day, with exploitation attempts dating back to late February.
Scale of exploitation: Shadowserver’s count and Google-indexed victims
Security watchdog Shadowserver reports at least 44,000 IP addresses running cPanel have been compromised in ongoing attacks. BleepingComputer and forum posts indicate the compromise is not limited to isolated servers: hundreds of compromised sites have already been indexed in Google, and victims have posted samples of encrypted files and ransom notes to the BleepingComputer forums.
The "Sorry" ransomware: Go-based Linux encryptor, ChaCha20, RSA-2048, and .sorry files
Multiple sources told BleepingComputer that attackers have been exploiting the cPanel flaw to deploy a Go-based Linux encryptor for a ransomware family calling itself "Sorry." The encryptor appends the ".sorry" extension to encrypted files and is specifically designed for Linux systems. According to the reporting, the ransomware uses the ChaCha20 stream cipher to encrypt files; the encryption key is then protected using an embedded RSA-2048 public key.
Ransomware expert Rivitna is quoted on the BleepingComputer forums: "Decryption is impossible without an RSA-2048 private key." In each folder the encryptor touches, it creates a ransom note named README.md instructing victims to contact the threat actor on Tox. The note and contact identifier are identical across victims; BleepingComputer reproduces the Tox ID used by the actor as 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724.
The reporting also notes that a 2018 ransomware campaign used a HiddenTear encryptor that appended ".sorry" to files; this current campaign uses a different encryptor and is unrelated to the 2018 activity.
Evidence trail: forum reports, VirusTotal, and observed indicators
BleepingComputer sources and forum threads show victims sharing encrypted file samples and ransom notes, and VirusTotal is cited in relation to the Go-based encryptor. The presence of hundreds of compromised sites in Google’s index provides an additional, visible signal of broad impact. Taken together, these public indicators helped researchers and watchers conclude the vulnerability was being actively exploited immediately after the cPanel update was released.
What this means for cPanel and WHM administrators, website owners, and security teams
- cPanel and WHM administrators: The source urges immediate installation of the available security updates to protect control panels from unauthorized access and subsequent deployment of the encryptor.
- Website owners and hosting customers: Sites hosted on compromised servers are already showing evidence of encryption and ransom notes; owners will want to verify backups and investigate whether the .sorry extension and README.md ransom notes appear on any hosted content.
- Security teams and incident responders: With exploitation reported since late February and ongoing compromise estimated in the tens of thousands of IPs, responders should treat observed compromises as active ransomware incidents and prioritize containment, recovery from clean backups, and forensic review tied to the CVE-2026-41940 exploitation vector.
The attacks "have just started," according to the reporting, and observers expect increased exploitation over the coming days and weeks. The immediate, concrete action the story records is simple and uncompromising: install the cPanel/WHM security update now. Beyond that, the matching of a specific exploit (CVE-2026-41940) to a distinct, Linux-focused encryptor with a reproducible ransom note and Tox ID gives defenders clear indicators to search for while they work to contain and remediate infected hosts.
