Widespread Exploitation of Critical cPanel Zero-Day Flaw (CVE-2026-41940) Leads to Mass Server Compromise and Ransomware Attacks

Executive Summary

A critical zero-day vulnerability in cPanel & WebHost Manager (WHM), tracked as CVE-2026-41940, is being actively exploited in the wild. This authentication bypass flaw, rated CVSS 9.8, allows unauthenticated remote attackers to gain administrative access and fully compromise servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog. At its peak, over 44,000 servers were observed launching attacks, with many compromised systems being used to deploy the "Sorry" ransomware. Organizations using cPanel are urged to apply the available patches immediately to prevent a complete system takeover.

Vulnerability Details

• CVE ID: CVE-2026-41940
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Authentication Bypass
• Affected Software: cPanel & WHM versions after 11.40

The vulnerability allows an unauthenticated attacker to write arbitrary parameters to a session file by using special characters in an authorization header. By triggering a reload of this manipulated session file, the attacker can authenticate with the injected administrative credentials, effectively gaining root-level control over the server.

Evidence suggests exploitation began as a zero-day in late February 2026, with a massive spike in attacks following public disclosure on April 28, 2026. The Shadowserver Foundation reported observing up to 44,000 unique IPs from compromised cPanel devices scanning and exploiting the vulnerability.

Affected Systems

All versions of cPanel & WHM released after version 11.40 are vulnerable. Patches are available and must be applied immediately.

Patched Versions:

• 11.86.0.41
• 11.110.0.97
• 11.118.0.63
• 11.124.0.35
• 11.126.0.54
• 11.130.0.19
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

Approximately 1.5 million cPanel instances are estimated to be internet-accessible, representing a massive attack surface. The majority of compromised systems are located in the United States, France, and the Netherlands.

Exploitation Status

The vulnerability is under active and widespread exploitation by multiple threat actors. The primary post-exploitation payload observed is the Sorry Ransomware, a Go-based Linux encryptor that appends a .sorry extension to encrypted files. The widespread nature of the attacks is evident from the large number of compromised websites being indexed by Google.

MITRE ATT&CK Techniques

• T1190 - Exploit Public-Facing Application: Attackers are exploiting the CVE-2026-41940 vulnerability on internet-facing cPanel instances for initial access.
• T1068 - Exploitation for Privilege Escalation: The authentication bypass directly leads to administrative (root) privilege.
• T1486 - Data Encrypted for Impact: The deployment of "Sorry" ransomware is the final stage of the attack, designed to extort victims.

Impact Assessment

The impact of this vulnerability is catastrophic for affected organizations. A successful exploit grants attackers complete control over the web server, including all hosted websites, databases, and customer data. This can lead to:

• Widespread Ransomware Deployment: Encrypting all data on the server and demanding a ransom.
• Data Theft: Exfiltration of sensitive business and customer data from all hosted sites.
• Website Defacement and Malware Hosting: Using the compromised server to host phishing pages, malware, or launch further attacks.
• Reputational Damage: Significant loss of trust for hosting providers and their customers.

Given that many small businesses rely on cPanel hosting, the financial and operational impact could be devastating.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify exploitation attempts or compromise:

Detection Methods

1. Vulnerability Scanning: Run authenticated and unauthenticated scans against servers to identify vulnerable cPanel & WHM versions.
2. Log Analysis: Scrutinize web server access logs (e.g., /usr/local/cpanel/logs/access_log) for suspicious requests containing special characters in the Authorization header, especially those resulting in a 200 OK status for authentication endpoints.
3. File Integrity Monitoring (FIM): Use FIM to monitor for the creation of files with the .sorry extension or unexpected changes to system binaries. This aligns with D3FEND's D3-FA - File Analysis.
4. Network Traffic Analysis: Monitor for outbound connections from cPanel servers to known malicious IPs or unusual ports, which could indicate C2 communication or data exfiltration. This uses D3-NTA - Network Traffic Analysis.

Remediation Steps

Immediate patching is the only effective remediation.

1. Update Immediately: Update cPanel & WHM to one of the patched versions listed above. Use the /scripts/upcp command to force an update.
2. Restrict Access: If patching is not immediately possible, restrict access to the cPanel/WHM interface (ports 2083, 2087) to trusted IP addresses only. This is a temporary mitigating control and not a substitute for patching.
3. Incident Response: If compromise is suspected, isolate the server from the network, preserve logs and disk images for forensic analysis, and initiate your incident response plan. Assume all credentials, keys, and data on the server are compromised.
4. Restore from Backup: If infected with ransomware, restore from clean, offline backups after rebuilding the server from a trusted image. This is a key part of D3FEND's D3-FR - File Restoration.