Critrical cPanel Flaw Mass-Exploited in "Sorry" Ransomware Attacks

The newly disclosed CVE‑2026‑41940 vulnerability in cPanel and WHM represents a rare instance of a zero‑day that directly compromises the authentication layer of web‑hosting control panels. First observed in late February, the flaw enables attackers to log in without credentials, granting full server access. Within days, threat actors weaponized the access point to deploy the "Sorry" ransomware, a Go‑based encryptor that specifically targets Linux environments. The rapid escalation underscores how quickly a single software defect can become a catalyst for large‑scale ransomware campaigns, especially when the affected software powers a substantial portion of the internet's hosting infrastructure.

Technically, the "Sorry" ransomware leverages ChaCha20 for fast, stream‑based encryption and secures the encryption key with an embedded RSA‑2048 public key. Once files are encrypted, they receive a .sorry suffix, and a standardized README.md ransom note directs victims to negotiate via the encrypted messaging app Tox. The use of strong cryptographic primitives makes decryption practically impossible without the private RSA key, which the attackers have not disclosed. This sophistication raises the stakes for affected businesses, as data recovery now hinges on paying the ransom or restoring from clean backups—both of which may be costly or unavailable.

For hosting providers and their clients, the immediate priority is patching. cPanel released an emergency update on May 2, 2026, addressing the authentication bypass. Organizations should verify that all cPanel/WHM instances are updated, enforce multi‑factor authentication where possible, and conduct thorough scans for indicators of compromise. The broader market impact may include heightened scrutiny of third‑party control‑panel security and a potential shift toward alternative hosting solutions with more rigorous patch‑management practices. As the exploit continues to surface, proactive defense and rapid response will be essential to mitigate financial loss and preserve trust in the web‑hosting ecosystem.