cPanel authentication bypass (CVE-2026-41940) mass-exploited in 'Sorry' ransomware campaigns

A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940) is being actively mass-exploited since at least May 2, 2026, to breach websites and deploy 'Sorry' ransomware that encrypts data and appends the .sorry file extension. cPanel released an emergency security update on April 28, 2026, to address the vulnerability. The ransomware campaign uses a unique ransom note contact via Tox ID. cPanel and WHM collectively power a significant portion of web hosting infrastructure globally. BleepingComputer analysis indicates the attack campaign is expected to intensify in coming days and weeks.