cPanel CVE-2026-41940: How 44,000 Servers Were Compromised in a Week by a Single Authentication Bypass

A single authentication bypass in cPanel has become the fastest-spreading web server compromise of 2026. CVE-2026-41940, disclosed just one week ago, has already allowed attackers to seize control of more than 44,000 servers, deploy a new ransomware strain called Sorry, and pivot from mass opportunistic attacks to targeted campaigns against government and military networks across Southeast Asia.

If your organization runs a website on shared hosting, manages servers through cPanel or WHM, or relies on a hosting provider that does, this vulnerability is not a distant threat. It is an active, ongoing incident that has already affected thousands of businesses and is still evolving.

The Scope: From 1.5 Million Exposed Servers to 44,000 Compromised

The Numbers That Matter

The scale of CVE-2026-41940 is staggering. Security researchers estimate that approximately 1.5 million cPanel and WHM instances are exposed to the internet. Of those, the Shadowserver Foundation detected 44,000 unique IP addresses actively engaging in scanning, exploitation, and brute-force attacks against its honeypot sensors as of April 30, 2026.

That number has since dropped to roughly 2,000 confirmed compromised instances, but this decline is misleading. Attackers do not need to maintain a persistent presence on every server they breach. Many have already extracted data, deployed ransomware, or established backdoors and moved on.

Key Stat: 44,000 servers were compromised in approximately 72 hours after public proof-of-concept code became available. The window between disclosure and mass exploitation was less than three days.

Common Mistake: Assuming that because the number of actively compromised servers has dropped, the threat has passed. Many of those 44,000 systems were likely encrypted, backdoored, or had credentials harvested before the attacker moved on.

Geographic Distribution

The majority of affected systems are located in the United States, with France and the Netherlands rounding out the top three. This reflects the global distribution of shared hosting infrastructure rather than any targeted geographic focus by the initial wave of attackers. However, as we will see, that has changed.

How the Exploit Works: A CRLF Injection Becomes Total Server Control

The Technical Breakdown

CVE-2026-41940 is a pre-authentication remote authentication bypass caused by a CRLF (Carriage Return Line Feed) injection in cPanel's login and session handling logic. The vulnerability carries a CVSS score of 9.8 and requires no authentication, privileges, or user interaction.

The attack works in three stages:

1. Session File Injection - The attacker sends a malicious basic authorization header containing raw carriage return and line feed characters. The cpsrvd daemon writes this header into a session file without sanitization, allowing the attacker to inject arbitrary properties.

2. Encryption Bypass - By manipulating the whostmgrsession cookie, the attacker skips the per-session encryption step. This allows the injected session properties to be read by the server in plaintext.

3. Privilege Escalation - The attacker reloads the manipulated session file, which now contains properties like user=root, hasroot=1, and successful_internal_auth_with_timestamp. The server treats this as a fully authenticated administrative session.

Key Stat: The entire exploit chain can be executed with a single HTTP request. No credentials, no social engineering, and no prior access are required.

What Compromise Means

A successful exploit grants the attacker full administrative control of WHM, the root-level management interface. On shared hosting infrastructure, this is effectively a compromise of every website, database, email account, and configuration file on that server. The attacker can:

• Create or delete hosting accounts
• Access all databases and email inboxes
• Modify website files to inject malware or defacement
• Deploy ransomware across the entire server
• Use the compromised server as a launchpad for further attacks

Pro Tip: If you are on shared hosting, you do not control whether your provider patches cPanel. Contact them directly and ask for confirmation that CVE-2026-41940 has been patched. If they cannot provide it, consider migrating to a provider that can.

The Sorry Ransomware Campaign: Mass Exploitation in Action

From Authentication Bypass to Ransomware Deployment

Within days of the vulnerability's disclosure, attackers began mass-exploiting CVE-2026-41940 to deploy a new ransomware strain called Sorry. The encryptor is written in Go and targets Linux servers. It appends the .sorry extension to encrypted files and drops a ransom note instructing victims to contact the attackers via the Tox messaging protocol.

Internet scanner Censys has identified 8,859 hosts exposing open directories where filenames end in .sorry. Of those, 7,135 are confirmed to be running cPanel or WHM, providing strong evidence of large-scale automated exploitation.

The Ransom Demands

The Sorry ransomware campaign uses two distinct monetization strategies:

• Primary Campaign: Victims are instructed to pay 0.1 BTC and tweet a specific message to attract the attackers' attention for decryption assistance.
• Secondary Campaign: Some victims receive ransom notes demanding payment via Tox with no public social media component.

In both cases, attackers are reportedly wiping backups to prevent recovery, a tactic that has become standard in modern ransomware operations.

Key Stat: Google has indexed dozens of websites that at some point displayed Sorry ransomware defacement messages. Some of those sites now load normally, suggesting either successful recovery or that the defacement was temporary.

Timeline of the Mass Exploitation

• Late February 2026: Evidence suggests targeted zero-day exploitation may have begun, two months before public disclosure.
• April 28, 2026: cPanel releases emergency security patches.
• April 29, 2026: CVE-2026-41940 is assigned. watchTowr publishes technical analysis and proof-of-concept code.
• April 30, 2026: Shadowserver reports 44,000 compromised IP addresses. Mass exploitation peaks.
• May 1, 2026: CISA adds CVE-2026-41940 to the Known Exploited Vulnerabilities catalog with a May 3 remediation deadline for federal agencies.
• May 2, 2026: Ctrl-Alt-Intel detects a previously unknown threat actor pivoting from mass exploitation to targeted attacks against government and military networks.

The Pivot to Targeted Attacks: Government and Military Networks Under Fire

From Opportunistic to Strategic

The most alarming development in the CVE-2026-41940 story is the rapid pivot from mass ransomware deployment to targeted espionage and data theft. On May 2, 2026, researchers at Ctrl-Alt-Intel detected a previously unknown threat actor exploiting the same vulnerability to attack government and military entities in Southeast Asia.

The targeted organizations include:

• Philippines: Government and military domains (*.gov.ph and *.mil.ph)
• Laos: Government domains (*.gov.la)
• Canada, South Africa, and the U.S.: Managed service providers and hosting companies

The Attack Infrastructure

The threat actor originates from the IP address 95.111.250.175 and uses publicly available proof-of-concept code from watchTowr and other security researchers. This is not a sophisticated custom exploit. It is a threat actor with a target list and the ability to use existing tools.

Once inside a compromised server, the attacker deploys:

• AdaptixC2: A command-and-control framework for remote management of compromised endpoints
• OpenVPN and Ligolo: Tools for establishing persistent access and pivoting into internal networks
• Systemd persistence: Ensuring access survives reboots and patching attempts

The Exfiltration

Ctrl-Alt-Intel's analysis revealed that the threat actor used this access to exfiltrate a substantial corpus of Chinese railway-sector documents from one compromised network. This suggests the campaign may be part of a broader intelligence-gathering operation rather than purely financially motivated crime.

Key Takeaway: The same vulnerability that fuels mass ransomware campaigns is also being used for nation-state-style espionage. If your server is vulnerable, you are not just at risk of encryption. You are at risk of silent, long-term compromise and data theft.

Who Is Affected: The Full Risk Picture

Critical Risk: Shared Hosting Customers

If your website runs on shared hosting, you are entirely dependent on your hosting provider to patch cPanel. You cannot patch it yourself. The vulnerability compromises the entire server, meaning your site, data, and customer information are at risk regardless of how secure your own application is.

Immediate Action: Contact your hosting provider and demand confirmation that CVE-2026-41940 has been patched. If they cannot provide it, consider migrating.

High Risk: VPS and Dedicated Server Administrators

If you manage your own cPanel or WHM installation, you are directly responsible for patching. All supported versions after 11.40 are vulnerable. Patched releases are available for seven version branches:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5
• WP Squared 11.136.1.7

Critical Note: Servers with auto-update disabled or version pinning will not patch automatically. You must manually update and restart cpsrvd after patching.

Medium Risk: Organizations Using Managed Hosting Providers

If you use a managed hosting provider, verify that they have patched. Do not assume. The 44,000 compromised servers include systems at hosting providers of all sizes.

Lower Risk: Organizations Not Using cPanel

If your infrastructure does not use cPanel, WHM, or WP Squared, you are not directly vulnerable to CVE-2026-41940. However, the broader lesson applies: management interfaces for critical infrastructure are high-value targets, and authentication bypasses in these interfaces can have catastrophic consequences.

Common Mistake: Believing that because you use a managed service, you do not need to verify patching. Managed does not mean automatically patched. Verification is always your responsibility.

Immediate Defenses: Patch, Detect, and Respond

Priority 1: Patch Immediately

If you run cPanel or WHM, update to a patched version immediately. After updating, restart the cpsrvd daemon:

/scripts/restartsrv_cpsrvd

If you cannot patch immediately, cPanel has published detection scripts to identify exploitation indicators. Run them. The scripts check for anomalous session files and unauthorized administrative access.

Priority 2: Credential Rotation

Assume compromise until proven otherwise. Rotate all administrative credentials, API keys, and database passwords. If your server was vulnerable at any point since late February, treat it as potentially compromised.

Priority 3: Backup Verification

The Sorry ransomware campaign specifically targets backups. Verify that your backups are:

• Stored offline or in a separate environment
• Encrypted and access-controlled
• Tested and restorable

Key Stat: Attackers are wiping backups to prevent recovery. If your backups are on the same server or accessible through the same compromised panel, they are at risk.

Priority 4: Detection and Monitoring

Monitor for:

• Unusual administrative logins to WHM or cPanel
• New user accounts created without authorization
• Unexpected file modifications or defacement
• Outbound connections to known malicious IPs, including 95.111.250.175
• Session files containing injected properties like hasroot=1

Priority 5: Incident Response Preparation

If you discover compromise, assume the attacker has had root access. Rebuilding the server from a known-good backup is the only reliable remediation. Patching alone does not remove backdoors, persistence mechanisms, or stolen credentials.

The Bigger Picture: What CVE-2026-41940 Teaches Us About Web Infrastructure Security

The Speed of Modern Exploitation

CVE-2026-41940 went from disclosure to 44,000 compromised servers in approximately 72 hours. This is not an anomaly. It is the new normal. When proof-of-concept code is published and 1.5 million instances are exposed, mass exploitation is inevitable.

The Shared Hosting Risk Model

Shared hosting concentrates risk. A single compromised WHM instance means dozens or hundreds of websites are compromised simultaneously. For small businesses that rely on shared hosting for cost efficiency, this creates an asymmetric risk profile: they cannot afford dedicated security teams, but they are exposed to the same vulnerabilities as the largest hosting providers.

The Dual-Use Nature of Vulnerabilities

The same flaw that fuels ransomware campaigns is being used for espionage. This duality is increasingly common. Vulnerabilities in widely deployed infrastructure software are valuable to both criminal and nation-state actors, and the line between the two is often blurred.

Key Takeaway: Infrastructure vulnerabilities are no longer just an IT problem. They are a business continuity problem, a legal compliance problem, and a national security problem. The organizations that treat them as such will be the ones that survive.

Conclusion: Act Now or Become a Statistic

CVE-2026-41940 is not a theoretical vulnerability. It is an active, ongoing incident that has already compromised tens of thousands of servers, deployed ransomware at scale, and enabled targeted attacks against government and military networks.

If you run cPanel or WHM, patch now. If you rely on a hosting provider that uses cPanel, verify their patching status now. If you have not checked your backups, tested your incident response plan, or rotated your credentials, do it now.

The 44,000 servers that were compromised in three days are a warning. The next wave of exploitation may not give you three days. It may not give you three hours.

Stay ahead of emerging threats. Subscribe to the Hexon.bot newsletter for weekly cybersecurity insights.