cPanel zero-day hits 44,000 IPs

Hosting control panels are supposed to be the boring plumbing of the web. But when one of them breaks, the blast radius gets weirdly large, because a single server can sit behind hundreds or thousands of sites. That is the shape of the cPanel story this week. A critical authentication-bypass bug, CVE-2026-41940, went from active zero-day abuse to broad ransomware deployment, and the payload now being linked to it is a Linux encryptor called “Sorry.” ### What actually broke in cPanel? The bug sits in cPanel & WHM’s authentication flow — basically the code that decides whether a request should be treated as a real logged-in session. cPanel said the issue affected all currently supported versions, and Rapid7 described it as an unauthenticated path to administrative access with a 9.8 CVSS score. That is why defenders treated it as a full server-takeover problem, not a niche panel bug. ### Why is this worse than a normal website bug? Because cPanel is not one website. It is the management layer for the server itself — mail, domains, databases, accounts, file access, and often reseller environments too. If an attacker gets admin-level control there, the jump from “panel compromise” to “customer sites compromised” is short. In shared hosting, one foothold can expose many unrelated businesses at once. ### When did defenders realize it was already being abused? Not on disclosure day. cPanel published fixes on April 28, 2026, but reporting around the incident says exploitation attempts go back at least to late February, and SecurityWeek noted signs the zero-day had been abused for months. CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on April 30, which is the government’s way of saying this is not theoretical anymore. ### Where does the 44,000-IP number fit? That number appears to describe the campaign’s reach before encryption — broad internet scanning and targeting, not 44,000 confirmed ransomware victims. That distinction matters. Attackers often cast a huge net, probe for exposed or unpatched systems, then deliver the real payload tying “Sorry” to this activity frames it as a mass-exploitation operation, not a one-off intrusion. ### What is “Sorry” ransomware? It is a Linux ransomware payload written in Go, which fits the target set here because cPanel servers are typically Linux boxes. Reporting on the campaign says it encrypts files and uses a hybrid crypto scheme — ChaCha20 for the file data and RSA-2048 to wrap keys. None of that is exotic by ransomware to phish each customer separately. ### Did cPanel ship a fix? Yes — and fast, once the issue was disclosed. cPanel pushed patched versions across supported release tiers and also published a detection script for indicators of compromise, then updated that script after false-positive complaints from admins. That last detail is small but telling: patching alone is not enough if attackers already touched the box before the fix landed. ### So what do hosting providers need to do now? First, verify the patched build is actually installed. Then check for persistence — web shells, rogue users, cron jobs, modified session files, unexpected SSH keys, and anything else that would survive an update. The catch is that an auth-bypass zero-day can leave behind admin-level access, so “we patched it” is not the same as “we are clean.” ### Bottom line? This is a control-plane failure, and those are always dangerous. One bug in cPanel can turn into a multi-tenant hosting incident fast — which is exactly why this one got ugly so quickly.