A ransomware campaign that locks web servers and drops a note reading simply “Sorry” has torn through the shared hosting industry since early 2026, exploiting a critical authentication bypass in cPanel and WHM, the control panel software that underpins millions of websites worldwide. On April 30, the U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog, confirming active attacks and giving federal civilian agencies until May 3 to patch or disconnect affected systems.
Threat intelligence firms tracking the campaign estimate that roughly 44,000 cPanel servers have already been encrypted, while approximately 1.5 million more remain publicly reachable and unpatched. Those figures, drawn from internet-wide scans using tools like Shodan and Censys, have not been confirmed by CISA or cPanel’s parent company and should be treated as approximations. But even conservative readings of the data point to one of the largest ransomware events targeting hosting infrastructure this year.
The vulnerability: CVE-2026-41940
The flaw is tracked as CVE-2026-41940 in the National Vulnerability Database. It is classified as an authentication bypass, meaning an attacker can sidestep normal login protections on cPanel and WHM without valid credentials. The NVD record, sourced through VulnCheck and CISA-ADP updates, includes both the vendor advisory and third-party technical analysis references. As of early June 2026, cPanel has not publicly disclosed which specific version numbers are vulnerable or confirmed a patch version number. The company’s vendor advisory, referenced in the NVD entry, is the only official guidance available, and it does not include details about cPanel’s overall market share or installed base.
What makes this particular bug so destructive is the architecture it targets. A single cPanel instance typically manages dozens to hundreds of websites for a shared hosting provider, handling domains, email accounts, databases, and file systems from one dashboard. Compromising that instance does not just affect one site; it can hand an attacker the keys to every account on the server. That multiplier effect explains why 44,000 compromised servers could translate into disruptions for a far larger number of individual websites and their owners.
CISA’s inclusion of CVE-2026-41940 in the KEV catalog is not a theoretical warning. The agency reserves that designation for vulnerabilities where it has confirmed real-world exploitation. Under Binding Operational Directive 22-01, federal civilian agencies face compliance consequences if they miss the May 3 remediation deadline. Neither CISA nor cPanel has issued a public statement elaborating on the scope of the campaign beyond what appears in the catalog entry and the vendor advisory.
The ‘Sorry’ ransomware campaign
The ransomware strain has been dubbed “Sorry” by incident responders, a name derived from the text of the ransom note left on encrypted servers, per incident response reports circulated within the hosting security community. Beyond that label, much about the malware remains unclear. No named incident response firm or government agency has published a detailed forensic breakdown covering the payload’s encryption method, its command-and-control infrastructure, or attribution to a specific threat actor group. Whether “Sorry” is a newly developed strain, a rebrand of an existing toolkit, or a commodity ransomware variant adapted for this campaign is still an open question as of early June 2026.
Specific ransom amounts demanded by the attackers have not been disclosed in any published incident response report or government advisory. Similarly, no hosting provider or security firm has published data on typical recovery timelines for affected servers. Site owners posting in web hosting forums and on social media describe finding their files encrypted and a ransom note in place of their websites, with control panel access either locked or rendered unusable. Some report that database contents, email archives, and backup directories stored on the same server were also encrypted, compounding the difficulty of restoration. These accounts, while anecdotal, are consistent with the type of damage an authentication bypass at the control panel level would enable.
Researchers estimate that exploitation began as early as February 2026, based on breach disclosure reports and honeypot data collected by private security vendors, though no named firm has published a full forensic timeline supporting that date. CISA’s catalog entry confirms that attacks are occurring; it does not specify when they started.
There is also no public accounting of which geographic regions or hosting providers have been hardest hit. Without that data, it is difficult to know whether the campaign is concentrated among smaller hosts running older, unpatched cPanel versions or spread broadly across the industry. No major hosting provider has publicly acknowledged being affected, though forum posts and social media threads from site owners describing locked servers and ransom demands suggest the impact extends well beyond a handful of operators.
Why the numbers are hard to pin down
Hosting infrastructure is notoriously difficult to census. cPanel instances can sit behind load balancers, run on private networks, or operate on non-standard ports that evade internet-wide scans. Any count derived from Shodan or Censys reflects what is visible from the public internet, not the full installed base. The 1.5 million figure for exposed servers is a useful indicator of scale, but it almost certainly undercounts some installations while potentially overcounting others that have already been patched or taken offline.
cPanel itself has not released a public statement quantifying the scope of infections, the percentage of its install base that has applied the fix, or the specific version numbers that are vulnerable versus patched. That silence leaves a gap that threat intelligence blogs and cybersecurity news outlets have filled with their own estimates. Their reporting is often well-sourced, but it is not subject to the same verification standards as government databases. Readers should keep that distinction in mind when evaluating specific numbers.
What administrators should do now
For anyone running cPanel and WHM in production, the first move is to check the installed version against the vendor advisory referenced in the NVD record and apply the patch immediately. If patching is not possible within hours, restrict access to WHM and cPanel management ports (typically 2086, 2087, 2082, and 2083) to trusted IP addresses only, and enable multi-factor authentication on every administrative account. NIST’s configuration baselines and SP 800-53 control catalog both recommend MFA and session integrity checks as standard countermeasures for authentication-class vulnerabilities like this one.
Next, review recent authentication logs. Because CVE-2026-41940 bypasses normal login protections, evidence of compromise may look like legitimate sessions originating from unfamiliar IP addresses or occurring at unusual hours. Correlating web server logs, SSH access records, and control panel activity can help surface anomalies that a single log source might miss.
Backups deserve immediate attention as well. Systems with recent, offline backups of both website files and databases are far better positioned to recover without paying a ransom. But “running” is not the same as “restorable.” Hosting providers should test recovery on non-production systems now, before they need it under pressure. If attackers have already gained access to a cPanel instance, they may attempt to delete or corrupt backup jobs, so verifying backup integrity is not optional.
Finally, this incident is a concrete reason to reassess how much trust organizations place in centralized management tools. cPanel and WHM are attractive targets precisely because they aggregate administrative control over large numbers of sites. Segmenting management interfaces onto isolated networks, enforcing strict access controls, and monitoring for configuration drift can all shrink the blast radius when the next authentication bypass surfaces.
Why the three-day federal patch deadline matters for private hosts
The confirmed facts are already severe: a widely deployed hosting platform has an actively exploited authentication flaw, the federal government considered the risk urgent enough to impose a three-day patch deadline under BOD 22-01, and tens of thousands of servers have reportedly been encrypted. The unconfirmed details, including precise server counts, the ransomware’s lineage, and the campaign’s true start date, will likely sharpen as incident response firms publish fuller analyses in the weeks ahead.
For administrators, waiting for those details is not a viable strategy. The remediation window CISA set has already closed for federal agencies. For everyone else running cPanel, the math is simple: every day an unpatched instance stays online is another day it can be found, exploited, and locked with a note that says “Sorry.”
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
