If you run a website on a server that uses cPanel/WHM, a critical flaw is being actively exploited to breach sites and encrypt data. This is a real-world reminder that patching is ongoing and non-negotiable.
What happened
A critical authentication bypass vulnerability in cPanel/WHM (CVE-2026-41940) is being exploited in the wild. Early reports indicate attackers are breaching control panels and deploying the Sorry ransomware, which encrypts files and adds the .sorry extension. An emergency update addressing the flaw has been released for both WHM and cPanel. As investigations continue, campaigns appear active and evolving, so details may change as more evidence comes to light.
Why it matters
This isn’t limited to big enterprises. Small businesses, freelancers, and hosting providers can be directly affected if their sites are compromised, leading to downtime, data loss, or encrypted files. Recovery often hinges on clean backups and timely patching. Even if you’re not hosting a client site, a compromised server can become a foothold for attackers into other services.
What you can do now
- Update to the latest patched version of cPanel & WHM. If you’re unsure how to proceed, contact your hosting provider or administrator for help.
- Verify patch status across all servers. Ensure you’re running a version that includes the fix.
- Look for indicators of compromise: unusual file extensions like .sorry and unexpected file encryptions, especially in web root and backup locations.
- Rotate credentials and tokens used to access the control panel, as well as any automation keys. Enable multi-factor authentication where available.
- Ensure backups are intact and.org offline or immutable where possible. Regularly practice a restore to confirm you can recover clean data.
- Harden access to cPanel/WHM: restrict to trusted IPs, disable outdated protocols, and enable robust monitoring for login attempts.
- Prepare an incident response plan: who to contact, how to isolate an affected server, and how to communicate with customers if needed. If you suspect a live compromise, involve your hosting provider or a security professional promptly.
- Stay updated with official advisories and credible security news, as the situation is evolving. Details may change as investigations continue.
Final thought
Staying patched, maintaining solid backups, and having a quick-response plan are your best defenses against this kind of attack. If you manage multiple sites or a hosting environment, coordinate with your provider to confirm all systems are protected. Small, steady steps today help you weather tomorrow’s threats.