A critical authentication bypass vulnerability in Linux-based web hosting control panels is being mass-exploited to deploy a new strain of ransomware. Security researchers have identified a massive surge in compromised IP addresses, with attackers prioritizing the encryption of web roots and associated databases.
The flaw, tracked as CVE-2026-41940, allows unauthenticated attackers to gain administrative control over cPanel and WHM instances. Successful breaches are leading to the deployment of the Sorry ransomware, a Go-based Linux encryptor that utilizes the ChaCha20 stream cipher. Encrypted files are appended with the .sorry extension, and ransom notes are being indexed by search engines across hundreds of impacted legitimate domains.
The industrial scale of this campaign suggests that attackers are using automated botnets to sweep for unpatched hosting infrastructure. For enterprise users, a compromise of the control panel provides an adversary with full access to webmail, databases, and the underlying server filesystem.
– Immediately update cPanel and WHM to the emergency security releases provided by the vendor.
– Audit the /home/.cpanel/sessions directory for unauthorized session files created by unknown IP addresses.
– Search for Go-based binaries in /tmp or system-wide that exhibit ransomware-like behavior.
– Strictly isolate all control panel management interfaces behind a VPN or IP-restricted gateway to neutralize the unauthenticated exploit path.
The mass exploitation of web hosting infrastructure turns a single control panel flaw into a global platform for data extortion and malware delivery. #CodeDefence #cPanel #Ransomware #Sorry #AuthBypass
/
