Critical cPanel Flaw CVE-2026-41940 Fueling 'Sorry' Ransomware Attacks

A newly disclosed vulnerability in cPanel, tracked as CVE-2026-41940, is being actively exploited in the wild as part of a coordinated ransomware campaign dubbed "Sorry." Security researchers first observed mass exploitation attempts targeting web servers that run the popular control panel, using the flaw to gain unauthorized access before deploying ransomware payloads.

The flaw resides in cPanel's webmail component, where insufficient input validation allows remote, unauthenticated attackers to execute arbitrary code. By chaining this initial foothold with standard privilege‑escalation techniques, the threat actors deploy the "Sorry" ransomware, which rapidly encrypts files and can exfiltrate data for double‑extortion pressure.

The campaign has already compromised thousands of sites, ranging from small‑business portals to large‑scale enterprise hosting environments. Victims report that the ransomware not only locks critical data but also threatens to leak stolen information unless a ransom is paid, heightening the urgency for immediate action.

cPanel has released an emergency patch addressing CVE-2026-41940, and administrators are strongly urged to update their installations without delay. Additional mitigations include disabling unused modules, enforcing multi‑factor authentication, and monitoring for indicators of compromise such as unexpected scheduled tasks or unusual outbound traffic.