A critical authentication bypass vulnerability in cPanel and WebHost Manager is being mass-exploited by threat actors deploying the Sorry ransomware strain, with over 44,000 servers confirmed compromised at peak exploitation. The flaw, tracked as CVE-2026-41940 with a CVSS score of 9.8, allows unauthenticated remote attackers to gain root-level administrative access to vulnerable cPanel servers through a CRLF injection in the login and session-loading processes.

The vulnerability was exploited as a zero-day for at least 30 days before cPanel issued emergency patches on April 28, 2026. Security researchers traced the earliest exploitation activity to February 23, with government and military targets in the Philippines, Laos, and Indonesia among the first victims. CISA added the flaw to its Known Exploited Vulnerabilities catalog on April 30 and mandated federal agencies patch by May 3.

Technical analysis by watchTowr and Rapid7 revealed that the cPanel service daemon writes a pre-authentication session file to disk upon failed login attempts. Attackers can manipulate the whostmgrsession cookie and inject raw CRLF characters through a malicious authorization header, writing arbitrary session properties such as root-level user access into unvalidated session files. All cPanel versions after 11.40 are affected, encompassing approximately 1.5 million internet-exposed instances.

The Sorry ransomware, a Go-based Linux encryptor using ChaCha20 and RSA-2048 encryption, has encrypted hundreds of websites with ransom notes already indexed by search engines. Security researcher Rivitna confirmed that decryption is impossible without the attacker-held RSA private key. Threat actors are also deploying the AdaptixC2 command-and-control framework alongside Mirai botnet variants through the same vulnerability.

Benjamin Harris, CEO of watchTowr, characterized the flaw as an unauthenticated authentication bypass sitting in front of a meaningful portion of the internet. Multiple hosting providers including Namecheap and KnownHost were forced to emergency-block cPanel ports during the patching process.

Affected organizations should immediately update by running the forced update script and applying the latest security patches. Those unable to patch should block TCP ports 2083, 2087, 2095, and 2096 at the firewall. Post-compromise forensic analysis should check for backdoor accounts, unauthorized SSH keys, systemd persistence units, and command-and-control artifacts.