cPanel and its WHM administration panel run a huge slice of the internet’s shared hosting. That is what makes CVE-2026-41940 so alarming: it is an authentication bypass that lets anyone into the panel with no username and no password. Rated CVSS 9.8/9.3, a remote unauthenticated attacker can skip the login and act as the server administrator.
The flaw is classified as CWE-306, missing authentication for a critical function. In plain terms, part of the login flow that should have demanded credentials simply did not. Once inside WHM, an attacker holds the keys to the whole server: customer accounts, files, databases, SSH keys, and scheduled tasks.
Why it hit so hard
The worrying part was not just the bug, but how fast it turned into a business. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of May 3, 2026, forcing US federal agencies to patch right away. A KEV listing usually means something is being used in real attacks, and that held true here.
In the wild, several groups showed up at once. The most visible deployed a Go-based Linux encryptor that appends the .sorry extension to files and demands ransom over Tox. Censys counted 8,859 hosts with files encrypted using that extension, 7,135 of them running cPanel/WHM. In many cases the attackers also wiped backups and left defacement pages demanding 0.1 BTC.
That was not the only payload. A Mirai botnet variant (nuclear.x86) targeted cPanel installs to create persistent admin accounts, disable logging, and drop cryptocurrency miners and DDoS bots. Researchers also flagged espionage campaigns against government and military entities in South-East Asia, with victims across the Philippines, Laos, Canada, South Africa, and the US.
How to tell if you are affected and what to do
If you run an internet-facing cPanel/WHM server, assume you were a target and check the system state:
- Confirm the installed version with
/usr/local/cpanel/cpanel -Vand verify the patch is in place. - Look in
/var/cpanel/sessions/raw/for suspicious pre-auth session files. - Audit WHM for accounts you do not recognize, added SSH keys, or new cron jobs.
- Run cPanel’s updated detection script. The first release produced false positives, so make sure you have the latest one.
If you find signs of compromise, patching alone is not enough: the attacker may have already established persistence. Rebuild from a clean backup and rotate every credential on the server. And since the .sorry extension comes with backup deletion, check that your copies live somewhere the server itself cannot reach.
This case closely echoes one we covered before: an authentication bypass in SmarterMail that also ended in ransomware. And the weight of CISA’s KEV catalog was clear with MongoBleed: once a vulnerability lands there, the clock is against you.