CVE-2026-41940 affects cPanel and is under active exploitation by threat actors deploying Sorry ransomware. Attackers leverage this vulnerability to gain initial access to web hosting infrastructure, then encrypt victim data for ransom demands.
The flaw enables unauthenticated or low-privilege attackers to execute arbitrary code on cPanel servers. This attack vector bypasses typical perimeter defenses since cPanel often sits behind trusted administrative interfaces. Sorry ransomware operators have weaponized the exploit at scale, targeting hosting providers and their customers simultaneously.
Defenders must prioritize patching immediately. cPanel users should apply available security updates without delay. Organizations hosting websites on cPanel infrastructure should verify patch status with their providers. Network defenders should implement segmentation around cPanel administrative interfaces and restrict access to known administrator IP ranges.
The Sorry ransomware campaign demonstrates how disclosure of hosting control panel flaws creates industry-wide risk. A single vulnerability affects hundreds of thousands of websites across multiple customers. Sorry operators are actively scanning for unpatched instances, indicating exploitation occurs within hours of public disclosure.
Organizations should assume Sorry operators maintain persistent access to unpatched systems. Post-exploitation forensics and credential rotation are necessary even after patching.