Critical cPanel Flaw Exploited in Global Ransomware Campaign
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON — Unidentified threat actors are actively exploiting a critical vulnerability in cPanel web hosting software to deploy ransomware across a global network of websites. The attack, identified as CVE-2026-41940, has been confirmed as of May 2, 2026, marking a significant escalation in cyberattacks targeting web management infrastructure.
The vulnerability allows attackers to gain unauthorized access to server systems without authentication. Once inside, the threat actors are installing a variant of ransomware known as 'Sorry.' The malware encrypts critical data on compromised servers, rendering websites inaccessible and demanding payment for decryption keys. Security researchers have observed the campaign targeting a wide range of victims, from small business websites to larger enterprise portals, indicating a broad and indiscriminate approach.
cPanel, a widely used web hosting control panel, manages millions of websites worldwide. The flaw in the software has created a direct pathway for attackers to bypass standard security measures. The mass exploitation suggests that the vulnerability was discovered and weaponized before a patch could be widely distributed. The timing of the attacks coincides with the public disclosure of the flaw, a pattern often seen in coordinated cyber operations.
The 'Sorry' ransomware variant has been linked to previous campaigns, but this specific deployment leverages the cPanel vulnerability to automate the infection process. Victims report that their websites were taken offline within hours of the initial breach, with ransom notes appearing on the front pages. The attackers are demanding payment in cryptocurrency, a common tactic in modern ransomware operations.
Web hosting providers and system administrators are urged to apply emergency patches immediately. The vendor has released a fix for the vulnerability, but the speed of the exploitation indicates that many systems remain exposed. Organizations are advised to audit their systems for signs of compromise and to isolate affected servers to prevent lateral movement within their networks.
The global nature of the attack complicates the response effort. Law enforcement agencies and cybersecurity firms are tracking the spread of the malware, but the anonymity of the threat actors makes attribution difficult. The financial motive behind the campaign is clear, with the attackers seeking to monetize the vulnerability through extortion.
As of late Tuesday, the full extent of the damage remains unknown. The number of compromised systems is likely to grow as attackers continue to scan for unpatched instances of the software. Security experts warn that the window for remediation is closing, and the risk of further breaches is high. The incident underscores the critical need for timely patch management and the ongoing threat posed by unpatched vulnerabilities in widely used software.
Questions remain regarding the identity of the threat actors and the specific infrastructure they are using to launch the attacks. The campaign is expected to continue until the vulnerability is fully mitigated across the global internet.