CVE-2026-41940 is a critical cPanel and WHM authentication bypass tied to mass exploitation, Sorry ransomware deployment, and an accelerated CISA remediation deadline.
A pre-authentication zero-day in the world's most widely deployed web hosting control panel has set off one of the most damaging mass-exploitation events of 2026 — and the worst may not yet be over.
CVE-2026-41940, a CVSS 9.8 Critical authentication bypass affecting WebPros cPanel & WHM and its WP Squared (WP2) managed WordPress product, was disclosed on April 28–29, 2026. Within days, more than 44,000 servers had been compromised, a Go-based Linux ransomware strain was encrypting hosted files at scale, and the U.S. Cybersecurity and Infrastructure Security Agency had added the flaw to its Known Exploited Vulnerabilities (KEV) catalog with a binding patch deadline of May 3, 2026. The hosting industry was facing its most severe security event in years.
What CVE-2026-41940 Is — and Why It Hits So Hard
At its core, CVE-2026-41940 is a missing authentication for critical function flaw (CWE-306) embedded in cPanel's login flow. Every supported release of cPanel & WHM after version 11.40 is vulnerable — that is an estimated 70 million domains running on approximately 1.05 million internet-facing servers, according to Censys internet scan data.
The mechanics are unforgiving. An attacker needs no credentials, no phishing hook, no insider access. By sending two crafted HTTP requests to a cPanel login endpoint, an adversary can inject specially formatted characters into an Authorization header. Those characters — carriage-return and line-feed sequences — land raw in cPanel's on-disk session files because the software failed to sanitize user-controlled input before writing to those files. A subsequent request triggers a cache-promotion routine that reads the malformed session data and treats the injected parameters — including hasroot=1 and tfa_verified=1 — as legitimate, authenticated session keys. The result: the software's password-check routine sees a marker indicating successful internal authentication and skips verification against /etc/shadow entirely.
From unauthenticated outsider to root-level WHM administrator in two HTTP requests.
WHM is the administrative layer of cPanel — it controls SSL certificates, DNS zones, server configurations, all hosted cPanel accounts, and email infrastructure. There is no higher privilege level to escalate to. One successful exploit does not compromise one website; it hands an attacker full control over every site, database, mailbox, and stored credential on that physical server.
For shared hosting providers — where a single server may host hundreds or thousands of independent tenants — that multiplier effect is catastrophic.
Two Months as a Zero-Day
What makes CVE-2026-41940 especially alarming is what it was before it became a CVE. According to reporting by BleepingComputer, exploitation activity dates back to at least late February 2026 — meaning attackers were quietly plundering cPanel servers for approximately eight to ten weeks before any public advisory existed, before any patch shipped, and before any administrator could reasonably have known to look.
Hosting provider KnownHost confirmed active in-the-wild exploitation on its community forums even as WebPros was pushing its emergency out-of-band patch on April 28. According to Rapid7, roughly 1.5 million cPanel instances were accessible from the internet at the time of disclosure.
The patch is available. The question every administrator must answer honestly is: how long was my server exposed before it arrived?
The "Sorry" Ransomware Campaign
Threat actors did not wait for defenders to catch up. Within hours of the public disclosure and proof-of-concept publication, mass exploitation pivoted from quiet reconnaissance to active ransomware deployment.
The malware being distributed is a Go-based Linux encryptor named "Sorry" ransomware, which appends the .sorry extension to every file it encrypts. The encryption itself uses the ChaCha20 stream cipher, with the symmetric key protected by an embedded RSA-2048 public key. Ransomware expert Rivitna confirmed on the BleepingComputer forums that decryption is mathematically impossible without the corresponding private RSA-2048 key held by the attackers — there is no known recovery path outside of paying ransom or restoring from clean backups.
In each directory, the ransomware drops a ransom note named README.md instructing victims to contact the threat actor via the Tox encrypted messaging protocol.
Censys researchers monitoring internet-wide open directory indexes documented the scale in near-real time. On the morning of May 1, roughly 7,000 servers were suddenly exposing open directories where every file had been renamed with the .sorry suffix — directories that had not existed the previous day. By the time of Censys's publication, 8,859 hosts across the internet were exposing .sorry-encrypted open directories, with 7,135 of them confirmed to be running cPanel or WHM.
The file patterns exposed tell the full story of the blast radius:
| Encrypted Filename | Hosts Affected |
|---|---|
index.html.sorry | 6,465 |
index.php.sorry | 1,637 |
license.txt.sorry | 855 |
wp-config.php.sorry | 795 |
wp-settings.php.sorry | 791 |
WordPress-specific files — wp-config.php, wp-cron.php, wp-load.php — appear across hundreds of hosts, underscoring that managed WordPress installations are among the primary victims. This is particularly relevant given that CISA's KEV entry explicitly names not just cPanel & WHM but also WP Squared (WP2), WebPros' managed WordPress hosting product, as an affected platform.
A parallel campaign was simultaneously deploying a Mirai botnet variant (nuclear.x86) to compromised cPanel servers — indicating that at least two distinct threat actors were independently weaponising the vulnerability within the same exploitation window.
The Numbers: Mass Compromise at Scale
The Shadowserver Foundation's honeypot network detected the campaign's footprint in real time. On April 30, 2026, Shadowserver reported that at least 44,000 unique IP addresses running cPanel had been observed participating in scanning and exploitation activity consistent with compromise.
Censys data captured the statistical anomaly with precision. In the four days prior to May 1, cPanel systems accounted for a negligible fraction — typically dozens to low hundreds — of newly malicious hosts appearing in their dataset daily. On May 1, the total number of newly classified malicious hosts surged by approximately 19,000. Of those, over 15,300 were running cPanel or WHM. That is nearly 80% of a single day's global spike in malicious internet infrastructure attributable to one vulnerability in one product.
The compromised infrastructure was concentrated among major VPS and cloud hosting providers: DigitalOcean (1,043 malicious cPanel hosts), Contabo (716), OVH (501), Vultr (391), Oracle Cloud (321), and GoDaddy (209) among the top ten at time of Censys's analysis. These are the platforms where professional MSPs, development agencies, and independent hosting providers run their customer-facing infrastructure.
Regulatory Response: CISA, CCCS, and an Accelerated Deadline
CISA listed CVE-2026-41940 in its KEV catalog under the formal label "WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability" and set a binding remediation deadline of May 3, 2026 — giving federal civilian executive branch agencies until Sunday to patch under Binding Operational Directive 22-01. The window from KEV addition to deadline was approximately 48 hours, one of the shortest mandated timelines CISA issues and a direct reflection of confirmed active exploitation at scale.
Canada's Centre for Cyber Security issued Alert AL26-008 on April 29, stating directly that "exploitation is highly probable" and that "immediate action is required."
Namecheap, one of the world's largest domain registrars and hosting providers, issued an emergency status update regarding the vulnerability and, according to industry reports, moved to restrict access to cPanel and WHM management ports as a protective measure — an unusual step that signals the severity with which major hosting providers treated the risk.
The Shared Hosting Multiplier: Why Agencies and MSPs Face Disproportionate Risk
For individual website owners, a compromised cPanel account is a serious incident. For managed service providers and web development agencies co-hosting dozens or hundreds of clients on shared infrastructure, it is an existential one.
WHM is the administrative layer above all cPanel accounts on a server. A single successful WHM authentication bypass compromises every tenant simultaneously — every client database, every credential set, every email archive, every SSL private key stored on that machine. Depending on jurisdiction and sector, each affected tenant may trigger a separate breach notification obligation.
The vulnerability is compounded by a common operational practice: many hosting environments pin cPanel to a specific version and disable auto-updates for stability reasons. These servers received no automatic patch and, absent manual intervention, remain fully exposed.
cPanel's official advisory confirmed that all versions after 11.40 are vulnerable. WebPros released emergency patches down to version 11.86.0.41 — the lowest supported branch to receive a fix. Servers running versions below that threshold are on unsupported branches for which no patch will ever ship; those machines must be migrated to a patched environment immediately. Any server in the vulnerable range that has not yet applied the emergency update should be treated as potentially compromised regardless of whether an attack has been directly detected.
Patch Now — Here's Exactly How
WebPros has released emergency patches across all supported release branches. Administrators should update immediately using cPanel's native update script:
# Run as root on the cPanel server
/scripts/upcp --force
# Verify the patched version
/usr/local/cpanel/cpanel -V
# Restart cpsrvd
/scripts/restartsrv_cpsrvd --hard
If immediate patching is not possible, apply these interim mitigations:
# Block management ports and disable service subdomains
whmapi1 set_tweaksetting key=proxysubdomains value=0 && \
/scripts/proxydomains remove && \
/scripts/rebuildhttpdconf && \
/scripts/restartsrv_httpd
# Stop cpsrvd and cpdavd entirely if the above cannot be applied
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \
/scripts/restartsrv_cpsrvd --stop && \
/scripts/restartsrv_cpdavd --stop
Firewall rules should block inbound access to ports 2083, 2087, 2095, and 2096 from any IP not explicitly authorized for server administration.
Assume Compromise If You Were Exposed
Patching stops new exploitation. It does not undo past access. Any server running a vulnerable version of cPanel since late February 2026 must be treated as potentially compromised, regardless of whether an attack has been directly detected.
Indicators of compromise to check immediately:
- Session file anomalies: Inspect
/var/cpanel/sessions/raw/for session files containinghasroot=1,tfa_verified=1, orsuccessful_internal_auth_with_timestampin sessions with abadpassorigin — these keys cannot legitimately appear together in a normal session. - Encrypted file sweep: Search all hosted content for files with the
.sorryextension and forREADME.mdransom notes in web directories. - WHM access log audit: Review authentication logs on ports 2083 and 2087 for any successful logins between February and late April 2026.
cPanel has published an official detection script — ioc_checksessions_files.sh — in its security advisory that automates session file analysis with CRITICAL, WARNING, ATTEMPT, and INFO severity classifications.
If CRITICAL indicators are present, treat the server as fully owned: rotate all credentials reachable from the control panel, including database passwords, SSH keys, API tokens, and stored SSL private keys. If account data integrity cannot be guaranteed, migrating accounts to a clean server is the safest path to recovery.
Hosting Control Panel Security: The Structural Problem This Exposed
CVE-2026-41940 is a product-specific vulnerability with a specific fix. But the conditions that made it so damaging are structural — and they will create the next mass-compromise event unless addressed.
WHM and cPanel management interfaces are routinely left exposed to the open internet on default ports. IP allowlisting — restricting access to management ports to known administrator addresses only — would have limited this attack's reach dramatically regardless of whether the vulnerability was patched. Auto-update discipline matters: the organisations operating fully patched cPanel at the time of disclosure are precisely those that never disabled auto-updates and never pinned versions.
The lesson for hosting control panel security is not limited to cPanel. Any control plane interface — whether cPanel, Plesk, DirectAdmin, or a proprietary panel — that is exposed on the open internet without network-layer access restriction is a mass-compromise event waiting for its corresponding CVE to be discovered.
For shared hosting providers, agencies, and MSPs: the exposure model for your management plane must match the privilege level it controls. WHM controls everything on your server. It should be reachable by no one who is not explicitly permitted. CVE-2026-41940 has made that case in the most costly way possible.