cPanel CVE-2026-41940 Under Mass Exploitation: 44,000 Servers Hit, Sorry Ransomware Deployed
Tags Security · Infrastructure · Enterprise
A critical authentication bypass in cPanel (CVE-2026-41940, CVSS 9.8) has compromised at least 44,000 servers worldwide, with attackers deploying 'Sorry' ransomware — a Go-based Linux encryptor with no known decryption tool — and Mirai botnet variants. Shadowserver telemetry observed approximately 44,000 IPs scanning and exploiting vulnerable cPanel instances, with activity tapering to around 3,540 by early May. Exploitation dates back to late February 2026, two months before the April 28 patch, indicating zero-day weaponization. On May 8, cPanel issued a second Technical Security Release for three additional vulnerabilities: CVE-2026-29201 (arbitrary file read, CVSS 4.3), CVE-2026-29202 (arbitrary Perl code execution via create_user API, CVSS 8.8), and CVE-2026-29203 (symlink privilege escalation, CVSS 8.8). Targets included Southeast Asian government/military entities and hosting providers in the Philippines, Laos, Canada, South Africa, and the US.
Technical significance
The cPanel mass exploitation demonstrates the risk of delayed patching in widely-deployed hosting infrastructure, with a two-month gap between zero-day weaponization and patch availability. The subsequent disclosure of three additional CVEs within 10 days suggests the initial patch audit revealed deeper architectural issues. Hosting providers and their customers should treat this as a supply chain incident requiring full credential rotation and forensic review, not just patching.