top of page
perceptive_background_267k.jpg

Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks

Published:

2 May 2026 at 21:54:00

Alert date:

2 May 2026 at 22:01:04

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Zero-Day Vulnerabilities, Ransomware & Malware

A critical cPanel vulnerability tracked as CVE-2026-41940 is being actively mass-exploited in widespread ransomware attacks. The flaw is being leveraged to breach websites and deploy the 'Sorry' ransomware, encrypting victim data. This represents an active exploitation campaign targeting web hosting infrastructure through a newly disclosed cPanel security flaw.

Technical details

Critical authentication bypass flaw in cPanel and WHM allows attackers to access control panels without proper authentication. The Sorry ransomware is a Go-based Linux encryptor that appends '.sorry' extension to encrypted files. It uses ChaCha20 stream cipher for encryption with the encryption key protected using an embedded RSA-2048 public key. Decryption requires the corresponding private RSA-2048 key. The ransomware creates README.md ransom notes in each encrypted folder with instructions to contact attackers via Tox messenger.

Mitigation steps:

Immediately install the available security updates for cPanel and WHM to protect websites from ransomware attacks and data theft. Monitor for .sorry file extensions and README.md ransom notes. Check for unauthorized access to cPanel control panels.

Affected products:

cPanel
WHM (Web Host Manager)
Linux-based web hosting control panels

Related links:

https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/
https://x.com/Shadowserver/status/2050208472386396568
https://www.virustotal.com/gui/file/2fc0a056fd4eff5d31d06c103af3298d711f33dbcd5d122cae30b571ac511e5a
https://www.bleepingcomputer.com/forums/t/815795/sorry-ransomware/
https://www.google.com/search?q=%223D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724%22&oq=%223D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724%22
https://www.bleepingcomputer.com/forums/t/815795/sorry-ransomware/?p=5859832
https://twitter.com/struppigel/status/978294774619885568
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

Related CVE's:

Related threat actors:

IOC's:

File extension: .sorry, Ransom note filename: README.md, Tox ID: 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724, SHA256 hash: 2fc0a056fd4eff5d31d06c103af3298d711f33dbcd5d122cae30b571ac511e5a

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page