Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Mirai and .sorry ransomware on compromised cPanel instances

Malware Activity
First reported
Last updated
Happening score
H score 52
1 unique sources, 1 articles

Summary

Hide ▲

Compromised cPanel instances were hit with Mirai botnet variants and .sorry ransomware, turning rapid post-disclosure exploitation into botnet infection and file-encryption risk. The malware activity affected vulnerable hosts within 24 hours of disclosure and could quickly disrupt hosting operations and data access. One victim reported a multistage attack that went from initial access to full encryption in minutes. The pattern shows both botnet deployment and ransomware encryption on the same exposed management surface.

Related Happenings

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

How related: Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure.

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

Timeline

  1. 04.05.2026 22:14 1 articles · 22d ago

    cPanel issues security update for authentication bypass

    Initial Disclosure

    cPanel issued a security update on April 28, 2026 to fix an authentication bypass affecting all supported versions of cPanel, WebHost Manager (WHM), and WP Squared, reducing exposure on hosting management interfaces until systems are patched.

    Show sources
    Open in new tab
  2. 04.05.2026 22:14 1 articles · 22d ago

    CVE-2026-41940 and WatchTowr Labs PoC land

    Technical Analysis Update

    On April 29, 2026, the flaw was identified as CVE-2026-41940 with CVSS 9.8, and WatchTowr Labs published a proof-of-concept exploit and technical analysis showing that the bug could give attackers administrative access to servers and hosted websites.

    Show sources
    Open in new tab
  3. 04.05.2026 22:14 2 articles · 22d ago

    Heavy post-disclosure exploitation hits cPanel instances

    Victim Impact Update

    cPanel instances were being attacked within 24 hours of disclosure, with Censys estimating roughly 15,000 potentially compromised instances, KnownHost reporting about 30 servers with attempted exploitation, and observed payloads including Mirai botnet variants and ransomware that appends .sorry to encrypted files.

    Show sources
    Open in new tab