cPanel auth bypass CVE-2026-41940 fuels mass 'Sorry' ransomware campaign

An emergency patch this week addressed CVE-2026-41940, a critical authentication bypass in WHM and cPanel that grants unauthenticated attackers access to the hosting control panels. Exploitation predates the disclosure: telemetry traces zero-day activity back to late February, and Shadowserver now counts roughly 44,000 compromised cPanel-hosting IPs.

Since Thursday, attackers have been chaining the flaw to drop a Go-based Linux encryptor branded ‘Sorry,’ which appends a .sorry extension and leaves a README.md ransom note pointing victims to a Tox contact. The malware uses ChaCha20 for file encryption with the per-victim key wrapped under an embedded RSA-2048 public key, leaving no path to recovery without the operator’s private key. Hundreds of victim sites are already indexed in Google search results.

The campaign is unrelated to a 2018 HiddenTear-based ‘.sorry’ family despite the shared extension. Hosts running WHM or cPanel should patch immediately and audit for signs of compromise, as exploitation volume is expected to keep climbing while unpatched servers remain exposed.