A critical vulnerability in **cPanel/WHM** is being mass-exploited, with multiple reports tying real-world compromises to deployment of a Linux ransomware strain known as **“Sorry.”** The flaw is tracked as **CVE-2026-41940** and is described as an authentication bypass that can grant attackers access to hosting control panels.

### Why cPanel incidents spread quickly

cPanel and WHM are widely used in shared hosting, VPS, and managed hosting environments. When attackers gain control of the control panel, they often get a direct path to:

- Website files and backups

- Email accounts and webmail

- Databases (and their credentials)

- The ability to create new accounts or scheduled tasks

That makes hosting providers and resellers a high-value target, because a single server can host many customers.

### What the ‘Sorry’ ransomware does (reported)

According to incident reports, the ransomware encryptor targets Linux systems, appends a **.sorry** extension to encrypted files, and drops a **README.md** ransom note instructing victims to contact the attacker via Tox to negotiate payment. Researchers have indicated encryption uses a modern stream cipher with the per-victim key protected via public-key cryptography, making recovery without keys unlikely.

### Defensive steps (high level)

If you manage cPanel/WHM systems, the priority is to reduce exposure and contain potential spread:

- Apply cPanel/WHM emergency security updates immediately

- Review access logs and administrative users for suspicious activity

- Rotate credentials (control panel, database, SSH) and review API tokens

- Check for persistence mechanisms (cron jobs, new SSH keys, unknown services)

- Validate backups and practice restoration

As exploitation continues, hosting operators should assume scanning will increase and treat unpatched systems as high risk.

Source: BleepingComputer