Critical cPanel Ransomware Attack: CVE-2026-41940 Patch Guide

Critical cPanel Ransomware Attack 2026: CVE-2026-41940 Is Actively Destroying Websites Right Now

 

Is Your Website Safe From the cPanel Ransomware Attack Happening Right Now?

As of early May 2026, the answer for tens of thousands of server owners is simply: no.

A critical authentication bypass vulnerability in cPanel and WHM, officially tracked as CVE-2026-41940, is being mass-exploited right now.

Threat actors are using it to deploy a ransomware strain called "Sorry" across vulnerable Linux web servers at a speed that is genuinely alarming. According to Shadowserver, over 44,000 cPanel servers compromised IPs have already been reported, and that number is growing.

If you run a website on cPanel, or if your hosting provider relies on WHM to manage your server, this is not a theoretical risk. Attacks are confirmed, live, and escalating. The window to act is open right now, but it will not stay open forever.

This article covers everything you need: what the vulnerability is, how the ransomware works, how to patch your server today, and what your options are if you have already been hit.

 

What is CVE-2026-41940 and Why Does It Score 9.8 Out of 10?

ThecPanel CRLF injection vulnerabilityat the center of this crisis has a CVSS score of 9.8, which places it firmly in critical territory. That score tells you two things: how easy it is to trigger the exploit and how bad the damage is when it hits.
CVE-2026-41940 Quick Facts.

• CVSS Score: 9.8 (Critical)

• Software affected: cPanel & WHM, versions 11.40 and later

• Attack type: CRLF injection for remote access without authentication

• Exploitation status: Confirmed mass exploitation active

• CISA listing: Added to the Known Exploited Vulnerabilities Catalog.
• Patch available: Yes, released 28 April 2026

Here’s what the attack does:
When you log in to cPanel, the software accepts your login request, whatever is in the password field, and writes that into a server-side session file before it checks whether the password is correct.

That is the flaw. An attacker can slip hidden line-break characters (called CRLF characters) into that password field. cPanel does not strip them out.

That injected data lands inside the session file. Through a second crafted request, it gets promoted into the session cache, which is the part of the system that tracks active logins.

Once that happens, cPanel reads the session as already authenticated. It skips password verification completely. The attacker walks straight in.

No brute force. No stolen credentials. No phishing campaigns. Two malformed HTTP requests, and they own your control panel. This is what makes the cPanel session hijacking exploit 2026 so dangerous: the bar to entry is extraordinarily low.

 

How Long Has This Been Happening? The Timeline Is Worse Than You Think

This is where the story gets unsettling. Most people assumed this was a new attack. It is not.

The exploitation timeline:

• February 23, 2026: Earliest confirmed exploitation attempts (KnownHost CEO, Reddit)
• Late February to April 2026: Silent zero-day exploitation, no public disclosure
• April 28, 2026: cPanel releases emergency patch after hosting providers report active attacks
• April 30, 2026: watchTowr publishes full technical breakdown, PoC becomes available
• May 1, 2026: CISA adds CVE-2026-41940 to the KEV catalog
• May 2026: Shadowserver reports 44,000+ compromised IPs and rising

That is roughly a two-month window where attackers had free rein and no defense existed because the vulnerability was not yet public. By the time most administrators received any alert, thousands of servers were already encrypted.

Rapid7 used the Shodan search engine to estimate approximately 1.5 million cPanel instances are exposed online. Not all of them are confirmed vulnerable, but the scale of potential exposure puts this among the most significant hosting security events in recent years.

 

Am I Affected? How to Check Your cPanel Version

You are likely affected if:

• Your server runs any cPanel or WHM version released after 11.40
• Your hosting environment includes WP Squared (a WordPress management panel built on cPanel)
• Your hosting provider has not yet applied the emergency patch
• Your server has not been updated within the last few weeks

Patched versions confirmed safe:

cPanel / WHM Branch	Safe Version
11.86.x	11.86.0.41 or higher
11.110.x	11.110.0.97 or higher
11.118.x	11.118.0.63 or higher
11.126.x	11.126.0.54 or higher
11.130.x	11.130.0.19 or higher
11.132.x	11.132.0.29 or higher
11.134.x	11.134.0.20 or higher
11.136.x	11.136.0.5 or higher
WP Squared	136.1.7 or higher

Signs your server may already be compromised:

• Files across your directories have been renamed with a .sorry file extension (example: database.sql.sorry)
• A file named README.md has appeared inside your folders containing a payment demand
• Unusual login activity or unfamiliar sessions appear in your cPanel access logs
• Your websites are returning errors or showing unexpected content

cPanel released an official detection script alongside the patch. watchTowr also published a Detection Artifact Generator designed specifically for this vulnerability. If you are not sure, run both before assuming you are clean.

 

How to Patch Right Now: Step-by-Step Emergency Fix

This is the most important section in this entire article. Do not skip it.

Step 1: SSH to your server
Open up your terminal and ssh into your server as root or a sudo user.

Step 2: Run the force update command

/scripts/upcp –force
The cPanel upcp force update command forces the cPanel update process to run, even if the system thinks it’s already running the latest version.

 It installs the patched release from cPanel own servers directly. Depending on how busy the server is, this normally takes between two and five minutes.

Step 3: Check what version you have installed
Once the update is finished, log into WHM and verify the version number in the top left corner

of the screen or use:

cat /usr/local/cpanel/version
Make sure that you have installed one of the patched releases in the table above. If not, then contact cPanel support or your hosting provider.

Step 4: Check for unsupported versions

If your server runs a cPanel version that predates the supported branches listed above, the security patch is not available for your installation.

In that case, upgrading to a current supported version is the only legitimate fix. Running an unsupported version after this disclosure means remaining exposed indefinitely.

What hosting providers did:

Several major providers moved fast to protect their customers:

• Namecheap temporarily blocked access on the cPanel Namecheap port block 2083 2087 until patches were deployed across their infrastructure
• HostGator classified the bug as a critical authentication-bypass exploit and patched its systems
• KnownHost blocked access to customer panels and began patching immediately after detecting exploitation
• HostPapa and InMotion Hosting also restricted access during the patch window

If your hosting provider manages cPanel on your behalf, contact them directly and ask for written confirmation that the cPanel CVE-2026-41940 patch has been applied to your specific server. Do not assume it has been done automatically.

Meet the Sorry Ransomware: What Happens After the Breach

Once an attacker bypasses authentication and gets inside cPanel, they control everything: your files, your databases, your email accounts, your customer data, your entire server environment.

In the current wave of attacks, that access is being used to deploy ransomware.

Key facts about Sorry ransomware:

• Ransomware type: File-encrypting ransomware targeting Linux servers
• Encryptor: Go-based Linux encryptor ransomware, purpose-built for this campaign
• File extension: Appends .sorry to every encrypted file
• Ransom note: Drops a file named README.md in every affected folder
• Payment channel: Victims are directed to contact attackers on the Tox messaging platform
• Relation to 2018 campaign: None. Different encryptor, different threat actors, unrelated

This is not a repurposed old tool. The encryptor is written in Go, compiled for Linux, and clearly designed with web hosting environments in mind. The choice of target, cPanel servers running shared hosting, tells you this is a deliberate campaign against web infrastructure, not a spray-and-pray operation.

When the encryptor runs, it crawls through your server directories and renames every file. An image becomes image.jpg.sorry. A configuration file becomes config.php.sorry. A database export becomes data.sql.sorry. All of it becomes inaccessible. The ransom note then appears, and victims are told to negotiate via Tox.

 

The Encryption Problem: Why You Cannot Just Decrypt the Files

How the Sorry ransomware encryption works:

• Encryption algorithm: ChaCha20 stream cipher (fast, modern, cryptographically strong)
• Key protection: Each encryption key is itself encrypted using an RSA-2048 public key embedded in the ransomware binary
• Key location: The RSA-2048 private key exists only on the attackers' infrastructure
• Decryptor availability: None. No free tool currently exists.

The ChaCha20 RSA-2048 Sorry ransomware encryption combination is not something you can crack with available computing resources. Ransomware expert Rivitna, who analyzed the encryptor and posted findings on the BleepingComputer forums, stated clearly that decryption is not possible without the corresponding private key, and that key is held by the attackers.

What this means practically for victims:

• Without backups, file recovery requires either paying the ransom or losing the data permanently
• Paying does not guarantee the attackers will provide a working key
• No security researcher or government agency has released a decryptor
• Law enforcement involvement may be possible but does not typically result in fast file recovery

The Sorry ransomware .sorry extension decrypt situation is bleak for those already infected. There is no technical shortcut. Backups are the only reliable path back.

 

Recovery Options If You Are Already Infected

If the ransomware has already run on your server, act quickly but do not panic.

Immediate steps:

• Disconnect the server from the network to prevent the attacker from returning
• Do not delete the encrypted files or the ransom note yet, preserve them for investigation
• Contact a professional ransomware incident response firm before making any decisions
• Do not pay the ransom without consulting a specialist first

Recovery paths, in order of reliability:

• Clean backup restore: The most reliable option if you have recent offsite backups
• Hosting provider backup: Ask your provider if they maintain independent server snapshots
• Partial file recovery: Some files may have been skipped by the encryptor, check carefully
• Negotiated decryption: Only consider this as a last resort and with professional guidance

Important for backup restore after ransomware:

• Verify backup integrity before restoring. Check file timestamps and known file hashes.
• Confirm the backup was taken before the infection date (check your server logs for earliest signs of compromise)
• Apply the CVE-2026-41940 patch before restoring. Restoring to a vulnerable server means getting reinfected.
• After restoring, change all cPanel and server passwords immediately

Prevention and Hardening: What to Do After Patching

Patching CVE-2026-41940 is the critical first step. But a patched server is not a hardened server. Here is what to do next.

cPanel access hardening:

• Now enable 2FA setup in cPanel for all the accounts. Two factor authentication provides an extra layer of protection that will survive a compromise of credentials.

• Configure your firewall to allow connections to ports 2083 and 2087 only from known, trusted IP addresses to restrict cPanel port access

• If it is on, turn off cPanel demo mode

• Delete any old unused cPanel accounts, each inactive account is a potential attack surface

Protection at server level:

• Use cPanel WAF settings with some tools like ConfigServer Security and Firewall (CSF) or ModSecurity to examine and filter incoming requests at the network level

• Allow automatic update of cPanel, so that future critical patches are applied without the need for human intervention

• Allow failed logins detection and auto-blocking of the IP address after a number of failed login attempts

• Audit all SSH keys and authorized users on the server

Web hosting security hardening methods:

• Have at least three copies: one on-site, one offsite, one in cloud storage

• Test your backups by restoring to a staging environment at least every 3 months.
• Keep an eye on your server logs for any strange access patterns.

• Subscribe to the cPanel security mailing list to receive notifications of vulnerabilities before they’re announced to the public

The cPanel ransomware attack in 2026 was directly caused by slow patching and poor access controls.Every hardening measure above costs less time than recovering from a ransomware event.

 

What the ShadowServer Data Tells Us About the Scope

ShadowServer cPanel compromised IPs data has been circulating within the security community since the mass exploitation began.

Shadowserver, which continuously scans global internet infrastructure for signs of compromise, reported over 44,000 unique IP addresses running cPanel that show indicators of compromise from this campaign.

To put that number in context:

• Each IP address may represent a single server hosting dozens or hundreds of individual websites
• Shared hosting environments are particularly vulnerable because one compromised server affects all accounts on that machine
• The Canadian Centre for Cyber Security specifically warned that successful exploitation could allow attackers to compromise every website on a shared hosting server

Administrators managing hosting environments should cross-reference their IP ranges against Shadowserver's reported data. Contact Shadowserver directly if your organization qualifies for their free data-sharing program.