Tens of thousands of web servers running cPanel, one of the most widely used hosting control panels in the world, have been hit by a ransomware campaign that security researchers say exploited a glaring flaw: the software let attackers access privileged functions without ever logging in.
The vulnerability, tracked as CVE-2026-41940, is classified as a missing-authentication bug in WebPros cPanel, WHM, and WP2. It means that critical operations, such as creating new accounts or changing server configurations, could be triggered by anyone who knew where to send a request. No username. No password. No multi-factor prompt. Just an open door.
The U.S. Cybersecurity and Infrastructure Security Agency confirmed the flaw is being exploited in active attacks and added it to the agency’s Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 22-01, federal civilian agencies must apply the vendor’s patch or stop using the product entirely by May 3, 2026.
Security researchers and incident responders have linked the exploitation wave to a ransomware strain called “Sorry,” estimating that roughly 44,000 servers were encrypted before widespread patching began. “We started seeing the ‘Sorry’ ransom notes across client environments in early May, and the volume was unlike anything we had tracked on Linux hosting infrastructure before,” said Alden Walder, a senior threat analyst at watchTowr. Those figures circulate in threat-intelligence reports and hosting-community forums but have not been independently confirmed by CISA, the FBI, or the National Institute of Standards and Technology. The actual number of victims could be higher or lower, depending on how many operators patched quietly and how many still do not realize they were compromised.
A patch gap measured in months
What makes this incident particularly damaging is the timeline. According to researchers at the security firm watchTowr, whose technical analysis is referenced in the NVD record, the vulnerability was known in private disclosure channels well before CISA’s public listing. WebPros, the company behind cPanel, has not released a public statement detailing when it first learned of the flaw, when a fix became available, or why the window between discovery and broad patching stretched as long as it did. As of late May 2026, the company has not responded to requests for comment from multiple security publications.
That silence leaves a gap in the public record. Researchers who tracked the exploitation say attackers had a runway of several months to scan for vulnerable servers, deploy the “Sorry” payload, and encrypt data before most hosting providers applied the fix. For shared hosting environments, where a single cPanel instance can manage hundreds or thousands of websites, one compromised server meant every site on it was at risk.
“We submitted a patch request to our provider in May and were told they were still evaluating the update,” said Rina Castillo, who manages a portfolio of e-commerce sites hosted on a shared cPanel server. “By the time they applied it, three of our client stores were already encrypted.”
What “Sorry” ransomware actually does
The “Sorry” strain targets Linux-based hosting infrastructure, a niche that sets it apart from the Windows-focused ransomware families that dominate headlines. Victims have reported finding encrypted files with altered extensions and ransom notes directing them to Tor-based payment portals. Screenshots of those notes, shared across hosting forums and social media, show demands that vary in size, suggesting the operators may tailor ransom amounts to the perceived value of the data they lock.
Formal malware analysis tying CVE-2026-41940 exploitation specifically to “Sorry,” rather than to other Linux-targeting ransomware families, has not appeared in any public government advisory reviewed for this report. CISA’s catalog confirms active exploitation of the vulnerability but does not name a malware family. The attribution to “Sorry” rests on incident-response case work and community reporting, not on a published forensic teardown from a government agency.
Scale is hard to pin down
cPanel holds a significant share of the global shared-hosting market. Millions of servers run the software, from small resellers operating a single box to large data-center operators managing thousands. That footprint means even a modest exploitation rate translates into a large absolute number of affected sites.
The 44,000-server estimate originates from scan data and victim reports aggregated by incident-response firms and hosting-community contributors. No single authoritative body has validated the count. Whether the attacks hit certain regions or industries harder than others is also undocumented in any primary source. Hosting providers in markets where patching cycles tend to lag, whether because of resource constraints, language barriers, or regulatory differences, may have been disproportionately exposed, but that remains speculative without hard data.
A CISA spokesperson, responding to questions about the scope of exploitation, said in late May 2026: “CISA urges all organizations using affected cPanel versions to apply available patches immediately. We continue to work with sector partners to assess the full impact of CVE-2026-41940 exploitation.”
What administrators should do right now
The remediation path is clear, even if the full scope of the damage is not.
Patch immediately. Check every cPanel, WHM, and WP2 installation against the affected version ranges listed in the NVD entry. If your software falls within those ranges, apply the vendor’s update now. If no patch is available for your configuration, follow any temporary mitigation steps in the advisory or take the system offline until one is.
Automate discovery. Large hosting operations should feed the NVD’s Common Platform Enumeration data into vulnerability scanners and configuration-management tools. Manual checks miss servers, especially in environments that grow or change quickly.
Hunt for signs of compromise. Review access logs around the vulnerable endpoints described in the watchTowr analysis. Look for unauthenticated requests that triggered administrative actions. If you find them, treat the server as compromised and begin incident-response procedures.
Test your backups. Offline or immutable backups are the most reliable recovery path after a ransomware attack. If you have not tested a full restoration recently, do it now, before you need it under pressure.
Tell your customers. Hosting providers owe their downstream site owners a clear account of whether infrastructure was vulnerable, whether it has been patched, and whether any suspicious activity was detected. Silence erodes trust faster than bad news delivered honestly.
Unpatched cPanel servers remain open targets beyond the federal deadline
CISA’s May 3 cutoff binds federal agencies, but it should function as a signal flare for everyone else. Attackers who mapped vulnerable cPanel servers during the months-long patch gap are unlikely to stop scanning just because a government deadline passed. Unpatched systems will remain targets for “Sorry” operators and for any other threat group that picks up the same exploit.
The official record, as of late May 2026, is unambiguous on the core facts: CVE-2026-41940 is real, it is being exploited, and the fix is available. The open questions about exact victim counts and definitive attribution matter for researchers and prosecutors, but they should not slow down anyone responsible for keeping a cPanel server running. Patch first. Investigate second. The answers to the remaining questions will come; the window to prevent further damage is closing now.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
