cPanel flaw – Misryoum reports a critical cPanel authentication-bypass flaw is being exploited to deploy “Sorry” Linux ransomware.
A critical cPanel flaw is already being exploited at scale, and Misryoum reports it is now tied to “Sorry” ransomware attacks that lock down Linux-hosted sites.
Tracked as CVE-2026-41940. the weakness is an authentication bypass affecting WHM and cPanel. the widely used Linux control panels that manage everything from server administration to website backends. webmail. and databases.. In this context, a successful bypass can give attackers a foothold deep enough to move from access to encryption.
Misryoum notes that an emergency update for WHM and cPanel was released specifically to address the control-panel access issue, but the window between disclosure and patching is where attackers tend to strike first.
Security teams should treat this as a priority patching event. When control panel access is compromised, the blast radius can expand quickly across hosted assets.
The attack activity has been reported as active in the wild shortly after the fix became available. with exploitation attempts dating back to late February.. Misryoum says mass scanning and compromise patterns suggest the flaw is being used as an entry point. followed by ransomware deployment aimed at encrypting files and disrupting operations.
In the “Sorry” ransomware campaign. the encryptor is designed for Linux systems and appends the “.sorry” extension to files it targets.. Misryoum also reports that the malware generates a ransom note named README.md in affected folders. directing victims to contact the threat actor to discuss payment.
What makes this especially concerning is that ransomware is rarely the only step. Once attackers gain control of hosting infrastructure, they can also assess data exposure and persistence options alongside encryption.
Misryoum further reports that attempts to recover encrypted files hinge on possession of the specific private key needed for decryption. Without that key, victims are left with limited recovery paths and are forced into incident response mode rather than normal restoration.
For administrators and hosting providers. Misryoum’s takeaway is straightforward: apply the available WHM and cPanel security updates immediately to close the authentication bypass and reduce the chance of further compromises.. This wave appears to be underway, and escalation often follows when patch adoption lags.