cPanel/WHM Vulnerability CVE-2026-41940 Under Attack by Sorry Ransomware Group

Severity: High (Score: 75.2)

Sources: Tipranks, www.bleepingcomputer.com, Heise.De

Summary

The Sorry ransomware group is actively targeting cPanel and WHM instances through a critical vulnerability (CVE-2026-41940) that allows attackers to bypass authentication. Since its disclosure on April 29, 2026, over 44,000 successful attacks have been reported globally, with more than 4,000 instances affected in Germany alone. The vulnerability was added to the CISA KEV list on April 30, indicating active exploitation. Attackers deploy ransomware that encrypts files and demands a ransom, with victims currently unable to decrypt their data. Security patches are available, and cPanel developers have provided scripts to help admins identify compromised systems. The rapid exploitation of this vulnerability highlights the urgency for organizations to apply patches immediately. Key Points: • CVE-2026-41940 allows attackers to bypass authentication on cPanel/WHM. • Over 44,000 successful attacks reported worldwide, with 4,000 in Germany. • Security patches are available, and immediate action is recommended for admins.

Key Entities

• Botnet (attack_type)
• Ransomware (attack_type)
• Germany (country)
• CVE-2026-41940 (cve)
• CWE-287 - Improper Authentication (cwe)
• bleepingcomputer.com (domain)
• Mirai (malware)
• T1486 - Data Encrypted for Impact (mitre_attack)
• cPanel (platform)
• CPanel/WHM (platform)
• Linux (platform)
• Sorry (ransomware_group)