Critical cPanel Vulnerability CVE-2026-41940 Exploited in Widespread 'Sorry' Ransomware Attacks
Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 02, 2026 from an administrator's point of view, checking CVE-2026-41940 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 2 corroborating sources supports that scope.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
A critical security flaw in cPanel, tracked as CVE-2026-41940, is being actively exploited by attackers deploying the 'Sorry' ransomware to encrypt website data. The flaw allows unauthorized access to hosting environments, putting thousands of websites at risk. Immediate patching and security measures are advised to prevent further breaches.
GLOBAL, May 2, 2026, 22:03 UTC
A critical vulnerability in cPanel software, identified as CVE-2026-41940, is under active exploitation by threat actors deploying the "Sorry" ransomware. The flaw enables attackers to compromise web hosting accounts, encrypt data, and demand ransom payments.
Security researchers first observed a sharp increase in attacks exploiting this vulnerability over the past week. The flaw affects cPanel versions commonly used by web hosting providers worldwide, exposing thousands of websites to potential data loss and downtime.
cPanel is a widely adopted web hosting control panel, providing graphical interfaces and automation tools for website management. The vulnerability allows attackers to bypass authentication controls, granting them access to sensitive server functions.
The "Sorry" ransomware group has leveraged this weakness to infiltrate hosting accounts, encrypt website files, and leave ransom notes demanding payment for decryption keys. The attacks have caused significant disruption for website operators relying on vulnerable cPanel installations.
Cybersecurity firm BleepingComputer reported that the flaw was disclosed recently, but attackers quickly weaponized it before many users could apply patches. This rapid exploitation underscores the urgency for administrators to update affected systems immediately.
Affected organizations are urged to verify their cPanel version and apply the vendor's security patches without delay. Additionally, implementing multi-factor authentication and monitoring server logs for suspicious activity can help mitigate risks.
Failure to address this vulnerability promptly could result in widespread data encryption, service outages, and financial losses due to ransom payments or recovery costs.
Hosting providers are also advised to notify their customers about the threat and assist with remediation efforts. Delays in patching could lead to further compromise and reputational damage.
The incident highlights the persistent threat posed by unpatched software in critical infrastructure components. Attackers continue to exploit known vulnerabilities to launch ransomware campaigns targeting high-value assets.
Security experts recommend regular vulnerability assessments and timely updates as fundamental defenses against such attacks. The rapid exploitation of CVE-2026-41940 serves as a reminder of the importance of proactive cybersecurity hygiene.
While no widespread data breaches beyond encryption have been reported, the potential for secondary attacks remains a concern. Organizations should remain vigilant for signs of lateral movement or data exfiltration.
The cPanel vendor has released detailed advisories outlining the vulnerability and mitigation steps. Users can find official patches and guidance on the cPanel website.
In the interim, affected parties should back up critical data securely and avoid paying ransoms, as this does not guarantee data recovery and may encourage further attacks.
The cybersecurity community continues to monitor the situation closely and will provide updates as more information becomes available.
Source: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
Sources used for this article
scmagazine.com, BleepingComputer
