'Sorry' ransomware observed deployed after active cPanel CVE-2026-41940 exploits, evading VPN tunnels

A cPanel bug just turned into a ransomware delivery lane. CVE-2026-41940 is a pre-authentication bypass in cPanel and WHM, which means attackers do not need a password to get admin access if the host is unpatched. Over the last few days, that moved from “serious bug” to “active mass exploitation,” and defenders are now seeing the “Sorry” ransomware show up after successful compromise. The bigger problem is that cPanel is the control plane for huge numbers of shared-hosting servers — so one exploited panel can mean many sites, databases, and mailboxes behind it. ### What is the bug, exactly? The flaw sits in cPanel’s session handling. Attackers can tamper with how a pre-auth session gets written and then reloaded, which lets them forge a privileged session and come back as root or root-equivalent inside WHM. In plain English — the login flow can be tricked into creating an already-trusted admin session before real authentication finishes. That is why the score is 9.8 and why this is not “just another web panel bug.” ### Why is cPanel the scary target? Because cPanel is not one website plugin. It is the management layer for the server itself. If an attacker gets WHM-level access, they can touch hosted domains, databases, email, configs, and often the underlying system. Rapid7 noted roughly 1.5 million internet-exposed cPanel instances that may be in scope, and Censys warned that exposed control planes are concentrated in a relatively small set of large hosting operators. That concentration makes patch speed everything. ### What changed this week? cPanel pushed fixes on April 28, 2026. A public technical write-up and proof of concept followed on April 29. By May 1, Shadowserver said it was seeing attacks ongoing, with at least 44,000 likely compromised IPs scanning its honeypots. That is the ugly sequence defenders hate — patch, public exploit, then internet-scale opportunistic abuse almost immediately. ### Where does “Sorry” ransomware fit in? This is the part that makes the story more than a vulnerability alert. BleepingComputer reported that attackers are now using CVE-2026-41940 to breach cPanel servers and then deploy “Sorry” ransomware to encrypt data. So the exploit is not staying in the reconnaissance phase. It is already being chained into monetization — fast. That changes the response posture from “patch when possible” to “patch and assume compromise until proven otherwise.” ### Why are VPN tunnels part of this story? Because split tunneling changes what traffic actually traverses the VPN. Aviatrix’s docs are blunt — in split-tunnel mode, only traffic for specified internal CIDRs goes through the tunnel, while internet-bound traffic goes out directly. If admins expose cPanel to the public internet, perimeter assumptions can break down fast. A remote user may be “on VPN” for some destinations, but the cPanel session itself may still be reachable outside that path, which weakens the comfort blanket many ops teams think they have. That is an inference from how split tunnel works and how this bug is exploited over exposed cPanel services. ### Which systems are fixed? cPanel says patched builds include 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, with WP Squared fixed in 136.1.7. Some older tiers do not have in-place patches, which means operators on those branches need more disruptive remediation. cPanel also added a detection script, and R-fx published IOC scanning and ModSecurity rules for emergency filtering. ### What should defenders do right now? Patch first. Then check for compromise — do not assume patching removes an attacker who already forged a session. Restrict direct access to cPanel and WHM ports like 2083 and 2087, ideally to management networks only. If you run shared hosting, treat the panel as a crown-jewel admin surface, not a convenience interface. And if you rely on split-tunnel VPN setups, re-check which paths are actually protected versus simply assumed to be. ### Bottom line This is a classic internet-speed security failure — a critical admin bug in a widely exposed control plane, public exploit code within a day, and ransomware close behind. The catch is that cPanel sits upstream of lots of customer assets, so every hour an exposed box stays unpatched is not just one server at risk — it is an entire hosting footprint.