Sorry Ransomware Hits 44,000 cPanel Servers via CVE-2026-41940

The cPanel authentication bypass we covered last week is now fueling mass ransomware attacks. Shadowserver reports at least 44,000 IP addresses running cPanel have been compromised in an ongoing campaign deploying a Go-based Linux encryptor dubbed "Sorry" ransomware.

The 2026 .sorry campaign focuses exclusively on Linux servers running cPanel and WHM—infrastructure that powers an estimated 70 million domains globally. When a single server falls, dozens or hundreds of websites, databases, and customer portals get encrypted simultaneously.

How the Attack Works

Attackers exploit CVE-2026-41940, the critical CVSS 9.8 authentication bypass in cPanel that allows unauthenticated remote access through CRLF injection in the login flow. WatchTowr researchers confirmed exploitation was happening in the wild before the public advisory dropped on April 28.

Once inside, attackers deploy the Sorry encryptor, which uses ChaCha20 stream cipher with keys protected by an embedded RSA-2048 public key. Security researchers analyzing the malware confirm decryption is impossible without the corresponding RSA private key held by the attackers.

Encrypted files receive the ".sorry" extension appended to their original names, transforming index.php into index.php.sorry and rendering entire websites inaccessible.

Ransom Demands Use Tox Messenger

Unlike earlier ransomware variants that relied on centralized Telegram bots for victim communication—which platform administrators can ban—the 2026 Sorry campaign demands victims download qTox, a peer-to-peer, end-to-end encrypted messaging application requiring no central servers.

Each compromised folder receives a README.md ransom note directing victims to contact the threat actor via a single shared Tox ID. The ransom amount is not specified in the note; negotiation occurs through Tox communication. This approach makes law enforcement disruption substantially harder than campaigns using centralized infrastructure.

Hundreds of compromised websites are now indexed in Google search results using the Tox ID as a search parameter, providing an indirect indicator of the attack's scope beyond Shadowserver's confirmed 44,000 IP count.

Timeline and Exploitation Window

The vulnerability existed in cPanel for an unknown period before WebPros International published a security advisory on April 28 and released patches hours later. However, attackers had been actively exploiting CVE-2026-41940 since at least February 23, 2026—two months before public disclosure.

This extended exploitation window explains the rapid mass-compromise following disclosure. Threat actors already had working exploits and operational infrastructure; the public advisory simply accelerated their timeline.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, setting a May 3, 2026 deadline for federal agencies to patch—the same day Shadowserver reported the 44,000+ compromises.

Who's Affected

Any organization running unpatched cPanel or WHM versions prior to the April 28 security update is vulnerable. The attack surface is enormous: cPanel dominates the shared hosting market, meaning a successful attack on a single hosting provider can impact thousands of customers simultaneously.

Hosting providers including Namecheap and InMotion temporarily blocked access to control panel ports as a precaution during the initial disclosure period. Organizations that delayed patching or run self-managed cPanel installations face the highest risk.

Defensive Actions

Organizations running cPanel should verify they've installed security updates by running /scripts/upcp --force. The following patched versions contain the fix:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

For servers already compromised, recovery depends on backup availability. The ChaCha20/RSA-2048 encryption scheme offers no realistic decryption path without paying the ransom or obtaining the private key through law enforcement action.

Why This Matters

This campaign demonstrates how critical infrastructure vulnerabilities cascade into mass-impact events. cPanel's market dominance means a single CVE can affect millions of websites. The two-month exploitation window before disclosure gave attackers ample time to build infrastructure and refine tactics.

For organizations relying on shared hosting, this is a reminder that your security posture depends on your provider's patch management. Hosting providers running cPanel should audit for indicators of compromise even after patching—the attackers had months of head start.

The shift to Tox for ransom communication signals ransomware operators adapting to law enforcement pressure on centralized communication channels. Expect similar decentralized approaches in future campaigns.