HackWatch
! High riskVU Vulnerability

Critical cPanel Vulnerability CVE-2026-41940 Exploited in Widespread 'Sorry' Ransomware Attacks

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
Critical cPanel Vulnerability CVE-2026-41940 Exploited in Widespread 'Sorry' Ransomware Attacks - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: Critical cPanel Vulnerability CVE-2026-41940 Exploited in Widespread 'Sorry' Ransomware Attacks
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: May 01, 2026

Updated: May 02, 2026

Incident status: Active threat

Corroborating sources: 2

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 02, 2026 from an administrator's point of view, checking CVE-2026-41940 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 2 corroborating sources supports that scope.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A critical security flaw in cPanel, tracked as CVE-2026-41940, is being actively exploited by attackers deploying the 'Sorry' ransomware to encrypt website data. The flaw allows unauthorized access to hosting environments, putting thousands of websites at risk. Immediate patching and security measures are advised to prevent further breaches.

GLOBAL, May 2, 2026, 22:03 UTC

A critical vulnerability in cPanel software, identified as CVE-2026-41940, is under active exploitation by threat actors deploying the "Sorry" ransomware. The flaw enables attackers to compromise web hosting accounts, encrypt data, and demand ransom payments.

Security researchers first observed a sharp increase in attacks exploiting this vulnerability over the past week. The flaw affects cPanel versions commonly used by web hosting providers worldwide, exposing thousands of websites to potential data loss and downtime.

cPanel is a widely adopted web hosting control panel, providing graphical interfaces and automation tools for website management. The vulnerability allows attackers to bypass authentication controls, granting them access to sensitive server functions.

The "Sorry" ransomware group has leveraged this weakness to infiltrate hosting accounts, encrypt website files, and leave ransom notes demanding payment for decryption keys. The attacks have caused significant disruption for website operators relying on vulnerable cPanel installations.

Cybersecurity firm BleepingComputer reported that the flaw was disclosed recently, but attackers quickly weaponized it before many users could apply patches. This rapid exploitation underscores the urgency for administrators to update affected systems immediately.

Affected organizations are urged to verify their cPanel version and apply the vendor's security patches without delay. Additionally, implementing multi-factor authentication and monitoring server logs for suspicious activity can help mitigate risks.

Failure to address this vulnerability promptly could result in widespread data encryption, service outages, and financial losses due to ransom payments or recovery costs.

Hosting providers are also advised to notify their customers about the threat and assist with remediation efforts. Delays in patching could lead to further compromise and reputational damage.

The incident highlights the persistent threat posed by unpatched software in critical infrastructure components. Attackers continue to exploit known vulnerabilities to launch ransomware campaigns targeting high-value assets.

Security experts recommend regular vulnerability assessments and timely updates as fundamental defenses against such attacks. The rapid exploitation of CVE-2026-41940 serves as a reminder of the importance of proactive cybersecurity hygiene.

While no widespread data breaches beyond encryption have been reported, the potential for secondary attacks remains a concern. Organizations should remain vigilant for signs of lateral movement or data exfiltration.

The cPanel vendor has released detailed advisories outlining the vulnerability and mitigation steps. Users can find official patches and guidance on the cPanel website.

In the interim, affected parties should back up critical data securely and avoid paying ransoms, as this does not guarantee data recovery and may encourage further attacks.

The cybersecurity community continues to monitor the situation closely and will provide updates as more information becomes available.

Source: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/

Sources used for this article

scmagazine.com, BleepingComputer

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this ransomware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Critical cPanel Vulnerability CVE-2026-41940 Exploited in Widespread 'Sorry' Ransomware Attacks".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage