A critical authentication bypass vulnerability in the cPanel and WHM management platform is being mass-exploited to deploy a new strain of Linux ransomware. At least 44,000 IP addresses have already been identified as compromised, highlighting the devastating scale of this infrastructure-level attack.
Tracked as CVE-2026-41940, the flaw allows unauthenticated attackers to inject administrative credentials into session files via malformed authorization headers. Once root access is achieved, attackers are deploying the Sorry ransomware, a Go-based encryptor that targets web root directories and databases. @[CISA](urn:li:organization:13010360) moved the remediation deadline for federal agencies to May 3, but automated botnets continue to sweep the internet for unpatched instances.
The compromise of a web hosting control panel at this scale represents a systemic threat to the integrity of millions of hosted domains. For enterprises, this breach results in the total loss of confidentiality for hosted data and provides attackers with a massive network of legitimate domains to use for secondary phishing and malware distribution.
– Immediately upgrade cPanel and WHM to versions 11.110.0.97, 11.118.0.63, or higher.
– Perform a forensic audit of the /home/.cpanel/sessions directory for any session files created by unauthorized IP addresses.
– Monitor for the presence of Go-based binaries in /tmp or web root directories that may indicate a ransomware implant.
– Implement strict ingress filtering to restrict management ports 2083 and 2087 to verified administrative subnets only.
When the management engine for a hosting environment is compromised, every tenant and every database must be treated as fully breached. #CodeDefence #cPanel #Ransomware #Sorry #AuthBypass
/
