Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

cPanel zero-day ran 65 days before patch; Sorry ransomware active

3 min read
10:57UTC

WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.

TechnologyDeveloping
Key takeaway

cPanel's 65-day zero-day window, across 1.5 million instances, made every downstream hosting customer a victim before any patch existed.

WatchTowr Labs disclosed CVE-2026-41940, a CRLF (Carriage Return Line Feed) injection in the cPanel & WHM cpsrvd login daemon that lets an unauthenticated attacker write `user=root` into a session and take control of the host without credentials.1 The severity score is 9.8 out of 10. WebPros, the owner of cPanel, shipped an emergency patch on 28 April; CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalogue on 30 April with a 3 May federal deadline.2 Telemetry from hosting provider KnownHost dates active exploitation to 23 February, meaning attackers had 65 days of access before any patch existed.3 Germany's Federal Office for Information Security (BSI) rated the advisory "very high" criticality. Rapid7 and Shodan telemetry counts roughly 1.5 million internet-exposed cPanel instances.

The architectural amplifier here is cPanel's role as the dominant shared-hosting control panel. One compromised cPanel server controls every website and database it hosts. A single mid-tier hosting provider running a handful of cPanel servers can expose tens of thousands of unrelated businesses to a single attacker who needs only a login-page request on port 2087 to gain root. The 65-day exploitation window fed that structural reach for two months before the security Community knew to look.

The contrast with the CitrixBleed 3 scenario is instructive. CitrixBleed 3 had a patch available; the question there was whether defenders applied it quickly enough. With CVE-2026-41940, no patch existed while attackers were already inside. The compliance frame is reversed: no KEV listing was possible until WebPros had a fix. A novel actor calling itself 'Sorry' ransomware is now deploying a Go-language Linux encryptor on compromised hosts, capitalising on an already-exploited install base rather than finding its own initial access.4 The 65-day window has been pre-populating its target list.

Deep Analysis

In plain English

cPanel is the software that most shared web hosting companies use to let customers manage their websites. When you log in to your hosting provider's control panel to set up email or a database, you are almost certainly using cPanel or a product built on it. A flaw in cPanel, rated at the most severe level on the standard scale, allowed hackers to take over hosting accounts without knowing any password. This flaw was being exploited from 23 February, but no patch was available until 28 April, 65 days later. With roughly 1.5 million exposed cPanel servers on the internet, one successful attack reaches every website, database, and email account hosted on that server, not the server owner alone. A ransomware group called 'Sorry' has now been found using this flaw to encrypt files on compromised servers, locking out their owners.

Deep Analysis
Root Causes

CRLF injection in a login daemon is a class of vulnerability that application security scanners and static analysis tools routinely catch. The cPanel cpsrvd daemon is proprietary code that is not publicly available for independent review, which reduces the pool of researchers likely to examine it outside a formal bug-bounty programme.

WebPros' decision to price access to its bug-bounty programme (cPanel has historically required demonstration of a specific supported installation to qualify for bounty submission) may have constrained the flow of research towards its product. The 65-day window, starting 23 February, preceded WatchTowr Labs' disclosure by over two months, indicating the attacker found the flaw before any external researcher reported it through official channels.

The 'Sorry' ransomware group's adoption of the vulnerability reflects a common pattern: an initial exploitation actor (likely the group that discovered the flaw) runs a quiet access campaign, and secondary threat actors purchase or discover the technique and deploy louder payloads such as ransomware once the initial actor has extracted what it needs.

What could happen next?
  • Risk

    The 65-day exploitation window means hosting providers must treat every cPanel server as potentially already compromised: applying the patch is necessary but retrospective forensic review from 23 February is equally required.

    Immediate · 0.9
  • Consequence

    'Sorry' ransomware capitalising on a pre-populated target list from 65 days of quiet exploitation means the secondary attack wave may hit organisations that patched on time but had already been silently compromised.

    Short term · 0.8
  • Precedent

    The BSI and CISA dual-listing of CVE-2026-41940 signals growing EU-US regulatory co-ordination on critical hosting-infrastructure vulnerabilities, a pattern that may accelerate NIS2 Article 23 notifications for German and EU hosting providers.

    Medium term · 0.65
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.