cPanel Zero-Day Exploited for 64 Days: 44,000 Servers Hacked, Ransomware Deployed
Table of Contents: Cpanel Zero-Day
If you run a website on a server with cPanel, stop what you’re doing and read this. A critical authentication bypass vulnerability — CVE-2026-41940 — has been actively exploited since February 2026, a full 64 days before cPanel even published an advisory. At least 44,000 servers have been compromised, a new ransomware strain called “Sorry” is encrypting hosting infrastructure, and Mirai botnet variants are turning breached servers into DDoS weapons.
This is one of the most significant web hosting security incidents in years, and it’s still unfolding. Here’s everything you need to know.
What Happened: The cPanel Catastrophe: Cpanel Zero-Day
On April 28, 2026, cPanel published a security advisory for CVE-2026-41940 — a CVSS 9.8 critical authentication bypass affecting all supported versions of cPanel & WHM (Web Host Manager). Within 24 hours of disclosure, multiple threat actors had weaponized the vulnerability, launching mass exploitation campaigns against internet-facing cPanel installations worldwide.
But here’s the terrifying part: the vulnerability had already been exploited in the wild for at least 64 days before anyone knew it existed. Attackers were quietly compromising servers, establishing persistence, and staging payloads since late February — all while hosting providers and their customers had no idea they were running vulnerable software.
The security research firm watchTowr Labs published a detailed technical analysis calling the vulnerability “The Internet Is Falling Down” — a title that barely qualifies as hyperbole when you consider that cPanel manages an estimated 20+ million websites globally.
CVE-2026-41940: How the cPanel Authentication Bypass Works: Cpanel Zero-Day
The vulnerability is an authentication bypass caused by a Carriage Return Line Feed (CRLF) injection in cPanel’s login and session loading processes. Here’s the technical breakdown:
Before authentication occurs, cPanel’s service daemon (cpsrvd) writes a new session file to disk. The vulnerability exploits a flaw in how the whostmgrsession cookie is processed. An attacker can:
- Manipulate the session cookie by omitting an expected segment of the cookie value, bypassing the encryption process
- Inject raw
\r\ncharacters via a malicious basic authorization header - Write arbitrary properties into their session file — including
user=root
The result? An unauthenticated attacker can forge a root-level session without ever providing valid credentials. No password needed. No brute force required. Just a carefully crafted HTTP request, and you own the server.
Successful exploitation grants the attacker complete control over the cPanel host system, its configurations and databases, and every website it manages. On shared hosting servers, a single compromised cPanel instance can mean hundreds of websites under attacker control simultaneously.
64 Days as a Zero-Day — The Timeline
The timeline of CVE-2026-41940 reads like a cybersecurity horror story:
- February 23, 2026 — First confirmed exploitation in the wild. KnownHost CEO Daniel Pearson confirmed seeing attack attempts on this date.
- February–April 2026 — Quiet exploitation period. Attackers compromise servers, establish backdoors, and stage payloads without detection.
- April 28, 2026 — cPanel publishes security advisory and releases patches for CVE-2026-41940.
- April 29, 2026 — watchTowr Labs publishes detailed technical analysis and proof-of-concept.
- April 30, 2026 — Mass exploitation begins. Shadowserver Foundation detects 44,000+ compromised IPs scanning and attacking honeypots.
- May 1-4, 2026 — Multiple ransomware and botnet campaigns emerge. Sorry ransomware and Mirai variants begin deploying at scale.
That’s 64 days of silent exploitation before the first patch was available. During that window, attackers could compromise any unprotected cPanel server on the internet with a single HTTP request.
Who Got Hit: Governments, MSPs, and Hosting Providers
According to reporting from The Hacker News, a previously unknown threat actor specifically targeted government and military entities in Southeast Asia, along with managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States.
MSPs are particularly dangerous targets because they manage infrastructure for dozens or hundreds of client organizations. A single compromised MSP can cascade into breaches across their entire customer base — a supply chain attack without needing to touch the supply chain.
Hosting providers face a similar multiplier effect. A shared hosting server running cPanel might host 200-500 websites on a single instance. Compromise one cPanel installation, and you’ve potentially compromised every website on that server — including their databases, email accounts, and customer data.
Meet “Sorry” — The New Ransomware Encrypting Servers
One of the most alarming developments from this vulnerability is the emergence of a new ransomware strain called “Sorry.”
Sorry is a Go(Golang)-based Linux encryptor specifically designed for server environments. Here’s what makes it notable:
- Written in Go — Cross-platform by design, making it easy to compile for different Linux architectures
- Appends
.sorryextension to all encrypted files - Drops a ransom note instructing victims to contact attackers via Tox — a peer-to-peer encrypted messenger that’s nearly impossible to trace
- Targets server infrastructure — databases, website files, email stores, and backups
Internet scanner Censys identified 8,859 hosts exposing open directories where filenames end in .sorry, with 7,135 of those confirmed as running cPanel or WHM. That’s over 7,000 hosting servers with confirmed ransomware deployment — and the real number is likely much higher since many compromised servers won’t have exposed directory listings.
Mirai Botnet Returns: Turning cPanel Servers Into Weapons
As if ransomware wasn’t enough, a separate campaign is deploying Mirai botnet variants on compromised cPanel servers. The specific variant — nuclear.x86 — targets vulnerable cPanel installations and performs a series of devastating actions:
- Creates new administrative accounts for persistent access
- Disables security logging to cover tracks
- Modifies firewall rules to allow attacker traffic
- Drops cryptocurrency miners to generate revenue from stolen compute
- Installs DDoS bot clients — turning your server into a weapon against others
- Harvests credentials — including database passwords, email accounts, and FTP credentials
This is the Mirai playbook evolved for 2026. The original Mirai botnet targeted IoT devices like cameras and routers. This variant targets high-bandwidth hosting servers — machines with 1-10 Gbps connections that can generate massive amounts of DDoS traffic.
44,000 Servers and Counting: The Scale of Damage
The Shadowserver Foundation detected at least 44,000 IP addresses likely compromised via CVE-2026-41940 on April 30 alone. These compromised servers were actively scanning and brute-forcing other targets — meaning the infection is self-propagating.
Within the first 24 hours of public disclosure, approximately 15,000 cPanel instances were compromised. Rapid7 and Cato Networks both published emergency threat briefs warning that exploitation was trivial and widespread.
To put this in perspective: if each compromised server hosts an average of 100 websites (conservative for shared hosting), we’re looking at potentially 4.4 million websites affected. That includes e-commerce stores processing credit cards, business applications handling sensitive data, and email servers storing years of communications.
How to Check If Your Server Is Compromised
If you’re running cPanel, here’s how to check for signs of compromise:
1. Check for .sorry files:
find / -name "*.sorry" -type f 2>/dev/null | head -202. Look for unauthorized admin accounts:
whmapi1 listaccts | grep -i "owner"
cat /etc/trustedkeys3. Check for Mirai indicators:
find /tmp /var/tmp /dev/shm -name "nuclear*" -o -name "mirai*" 2>/dev/null
netstat -tlnp | grep -E ":(23|2323|37215|52869)"4. Review cPanel access logs:
grep -i "whostmgrsession" /usr/local/cpanel/logs/access_log | grep -v "your-ip"
grep "CRLF\|%0d%0a\|%0D%0A" /usr/local/cpanel/logs/access_log5. Check for unauthorized cron jobs:
for user in $(cut -d: -f1 /etc/passwd); do crontab -u $user -l 2>/dev/null; doneIf you find any indicators of compromise, do not simply patch and move on. A compromised server needs to be rebuilt from clean backups taken before February 23, 2026.
Patch Now: How to Fix CVE-2026-41940
cPanel released patches on April 28, 2026. Here’s how to update:
# Update cPanel & WHM to the latest version
/usr/local/cpanel/scripts/upcp --force
# Verify the update
/usr/local/cpanel/cpanel -VThe patched versions are:
- cPanel & WHM 126.0.6 and later (CURRENT tier)
- cPanel & WHM 124.0.12 and later (RELEASE tier)
- cPanel & WHM 122.0.22 and later (STABLE tier)
But patching alone is not sufficient if your server was already compromised during the 64-day zero-day window. You need to:
- Patch immediately to prevent further exploitation
- Audit for compromise indicators using the commands above
- Reset all passwords — cPanel, WHM, database, FTP, and email accounts
- Review all cron jobs and startup scripts for malicious entries
- Check for unauthorized SSH keys in all user home directories
- Consider a full rebuild if any compromise indicators are found
The Bigger Picture: Why Shared Hosting Is a Ticking Time Bomb
CVE-2026-41940 exposes a fundamental problem with the shared hosting model that most of the web relies on. A single vulnerability in cPanel — software that manages an estimated 20+ million websites — can cascade into millions of compromised sites within days.
This isn’t the first time cPanel has been hit with critical vulnerabilities, and it won’t be the last. The consolidation of web infrastructure around a handful of control panels means that a single bug can affect a disproportionate share of the internet.
The lesson from CVE-2026-41940 is brutally simple: if your entire hosting infrastructure depends on a single piece of software staying secure, you’ve already lost. Defense in depth — network segmentation, least-privilege access, continuous monitoring, and offline backups — isn’t optional anymore. It’s survival.
For the 44,000+ server operators currently dealing with the fallout: patch, audit, and rebuild. For everyone else: this is your warning. The next CVE-2026-41940 is already being exploited. You just don’t know about it yet.
Update your servers. Today. Right now. Before you finish reading this sentence.
Understanding the full scope of the cPanel zero-day situation requires looking at both the immediate impact and long-term consequences. The cPanel zero-day story has generated significant discussion among industry analysts, with many pointing to the cPanel zero-day developments as a potential turning point for the sector.
What makes the cPanel zero-day case particularly noteworthy is the speed at which events unfolded. Within days of the initial cPanel zero-day announcement, competitors and stakeholders began repositioning their strategies. The ripple effects of cPanel zero-day continue to be felt across the technology industry.
Looking ahead, the cPanel zero-day developments are expected to influence policy decisions and investment strategies throughout 2026 and beyond. Experts suggest that the cPanel zero-day outcome could serve as a blueprint for similar situations in the future, making the cPanel zero-day case a critical reference point for the industry.
For readers following the cPanel zero-day story, staying informed about new developments is essential. The cPanel zero-day situation remains fluid, and additional details are expected to emerge in the coming weeks.
Key Takeaway: The cPanel Zero-Day story represents a major shift in the technology landscape for 2026. As cPanel Zero-Day continues to make headlines, we’ll keep tracking developments and providing analysis on SudoFlare.
The cPanel zero-day vulnerability marks one of the most devastating server attacks of 2026. System administrators worldwide are urged to patch immediately, as the cPanel zero-day exploit chain remains active in the wild. Security researchers warn that this cPanel zero-day could spawn copycat exploits targeting similar hosting panels.
