CVE-2026-41940: the cPanel vulnerability exploited for "Sorry" ransomware attacks
A critical authentication bypass vulnerability in cPanel and WHM, identified as CVE-2026-41940, is being widely exploited to compromise websites and distribute the "Sorry" ransomware. The emergency update released this week by cPanel to fix the bug has not prevented attackers from actively exploiting the flaw as a zero-day, with exploitation attempts dating back to late February.
44,000 IP addresses compromised in ongoing attacks
According to Shadowserver, at least 44,000 IP addresses running cPanel have been compromised in ongoing attacks. The vulnerability allows attackers to access control panels, providing them with administrative access to the website backend, webmail, and databases.
Sorry ransomware: a Go-based encryptor for Linux
Attackers are exploiting the CVE-2026-41940 vulnerability to distribute a Go-based encryptor for the "Sorry" ransomware, specifically designed for Linux. The encryptor appends the ".sorry" extension to all encrypted files and uses the ChaCha20 stream cipher to encrypt files, with the encryption key protected using an embedded RSA-2048 public key.
Decryption impossible without the RSA-2048 private key
According to ransomware expert Rivitna, decryption of files encrypted by the "Sorry" ransomware is impossible without the corresponding RSA-2048 private key. In every folder, a ransom note named README.md is created, instructing the victim to contact the cybercriminal on Tox to negotiate a ransom payment.
The ransom note and Tox ID
The ransom note is the same for every victim of this ransomware campaign and includes the Tox ID "3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724", used to contact the cybercriminal. It is important to note that a 2018 ransomware campaign used a HiddenTear encryptor to encrypt files and append the .sorry extension. However, this current campaign uses a different encryptor and is unrelated.
Urgent security updates for cPanel and WHM
All cPanel and WHM users are advised to immediately install the available security updates to protect their websites from ransomware attacks and data theft. The attacks have just begun, and an increase in exploitation is expected in the coming days and weeks.
Security implications and mitigation measures
The severity of this vulnerability is heightened by the fact that attackers are actively exploiting the flaw to distribute ransomware. Organizations using cPanel and WHM must act immediately to apply security updates and protect their systems. Additionally, it is crucial to closely monitor systems for any signs of compromise and respond quickly to any security incidents.
The importance of vulnerability management and incident response
This incident underscores the importance of robust vulnerability management and effective incident response. Organizations must implement proactive security measures, such as timely application of security updates, continuous system monitoring, and staff training on cybersecurity. Furthermore, it is essential to have a well-defined incident response plan to quickly mitigate the impacts of any security breaches.
Preparing for future threats
While the "Sorry" ransomware attacks are currently exploiting the CVE-2026-41940 vulnerability, new threats and vulnerabilities are likely to emerge. Organizations must remain vigilant and prepare for any future threats. This includes investing in advanced security solutions, participating in industry forums and summits like the Autonomous Validation Summit, and maintaining a strong security culture within the organization.
The economic impact and industry response
The "Sorry" ransomware attacks are having a significant impact on the web hosting sector. Preliminary estimates indicate that affected companies could face losses ranging from tens to hundreds of thousands of euros, considering direct ransom costs, reputational damage, and downtime. Some hosting service providers are already reporting an increase in requests for technical support and recovery assistance, putting pressure on their resources.
Advanced defense strategies
In response to this emerging threat, security experts recommend adopting defense-in-depth strategies. This includes implementing advanced cloud security solutions, such as next-generation firewalls and intrusion detection systems. Additionally, it is crucial to adopt zero trust practices, which limit access to sensitive data only to authorized and verified users.
The role of training and awareness
Staff training is another critical aspect in preventing ransomware attacks. Many security incidents start with a single human error, such as clicking on a malicious link or accessing a compromised site. Organizations should invest in security awareness programs to educate employees about emerging risks and best practices for secure data management.
The evolution of ransomware threats
Ransomware attacks are becoming increasingly sophisticated. Recent research indicates that cybercriminals are using advanced social engineering techniques, such as targeted phishing and deepfakes, to deceive victims and gain access to systems. Additionally, new criminal business models, such as ransomware-as-a-service (RaaS), are emerging, allowing even those without technical skills to launch attacks.
Best practices for post-breach recovery
In case of a breach, it is essential to have a well-defined recovery plan. This should include regular and off-site backups of data, identification of critical resources, and clear procedures for communicating with stakeholders. Organizations should also consider purchasing cyber insurance to mitigate the financial costs associated with a ransomware attack.
The importance of public-private collaboration
The fight against ransomware requires collaboration between the public and private sectors. Organizations should participate in information sharing initiatives, such as those promoted by CERT and ISAC, to exchange threat information and best practices. Additionally, it is crucial to collaborate with law enforcement authorities to pursue cybercriminals and prevent future attacks.
Preparing for the future
While the "Sorry" ransomware attacks represent an immediate threat, it is important to prepare for future developments in the threat landscape. This includes investing in emerging technologies, such as artificial intelligence and machine learning, to enhance the ability to detect and respond to attacks in real-time. Additionally, organizations should participate in industry events like the Autonomous Validation Summit to stay updated on the latest trends and innovations in security.
Conclusions
The CVE-2026-41940 vulnerability and "Sorry" ransomware attacks highlight the importance of proactive cybersecurity. Organizations must act immediately to protect their systems and prepare for future threats. By investing in advanced security solutions, adopting robust vulnerability management practices, and promoting a security culture, it is possible to mitigate risks and protect critical data.
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not engage in real-time information activities.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims all liability for the misuse of the information published.
In the Crypto sector, every investment involves risks: readers are advised to always inform themselves independently before making any decisions.