A critical security flaw in cPanel and WHM — the software millions of web hosting companies use to manage websites — is being actively exploited by attackers to break into servers and lock them with “Sorry” ransomware. The vulnerability, CVE-2026-41940, lets attackers completely bypass the login screen and gain full administrator access without a password. Researchers at Shadowserver have confirmed that over 44,000 hosting servers have already been compromised in this ongoing campaign.
Once inside, attackers encrypt all website files, databases, and backups on the server, appending a .sorry extension to every locked file. Without the attacker’s private key, recovering those files is not feasible. Small businesses and individuals who host their website through a provider running cPanel may find their site suddenly inaccessible. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, 2026, requiring US federal agencies to patch by May 22.
How to check if you’re affected
This issue affects servers running cPanel and WHM versions before the security patch released in May 2026:
- Contact your web hosting provider: Ask whether their cPanel servers are patched against CVE-2026-41940. Reputable hosts should have already applied the fix.
- Check for unexpected admin accounts: If you have direct cPanel access, review the list of administrator accounts for any you did not create.
- Look for
.sorryfile extensions: If your hosted files or databases appear encrypted and inaccessible, your server may already be compromised — contact your host immediately. - If you self-host cPanel: Apply the security update immediately via the official cPanel update tool and restrict internet access to the control panel port (2083/2087) until patched.