Authentication bypass vulnerability in cPanel and WHM exploited as zero-day prior to patch
Updated: 03.05.2026 00:54
· First: 30.04.2026 14:40
· 📰 2 src / 2 articles
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, WHM, and WP Squared has been mass-exploited in 'Sorry' ransomware attacks since May 2026, compromising at least 44,000 cPanel IP addresses globally. The flaw, a CRLF injection in login and session loading processes, allows attackers to bypass authentication and gain full control over cPanel hosts, enabling deployment of a Go-based Linux encryptor that appends the '.sorry' extension to files. Encryption uses ChaCha20 with RSA-2048 key protection, rendering decryption impossible without the threat actor's private key. Ransom notes with a fixed Tox ID are dropped in each compromised folder. cPanel released emergency fixes on April 28, 2026, addressing versions 11.110.0 through 11.136.0 and WP Squared 11.136.1, with approximately 1.5 million exposed instances identified via Shodan scans. Emergency mitigations included port blocking and service suspensions.