8MAY

cPanel zero-day ran 65 days before patch; Sorry ransomware active

3 min read

10:57UTC

WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.

← Back to CISA's deadline outruns Palo Alto's patch Jump to analysis ↓

TechnologyDeveloping

Key takeaway

cPanel's 65-day zero-day window, across 1.5 million instances, made every downstream hosting customer a victim before any patch existed.

WatchTowr Labs disclosed CVE-2026-41940, a CRLF (Carriage Return Line Feed) injection in the cPanel & WHM cpsrvd login daemon that lets an unauthenticated attacker write `user=root` into a session and take control of the host without credentials.¹ The severity score is 9.8 out of 10. WebPros, the owner of cPanel, shipped an emergency patch on 28 April; CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalogue on 30 April with a 3 May federal deadline.² Telemetry from hosting provider KnownHost dates active exploitation to 23 February, meaning attackers had 65 days of access before any patch existed.³ Germany's Federal Office for Information Security (BSI) rated the advisory "very high" criticality. Rapid7 and Shodan telemetry counts roughly 1.5 million internet-exposed cPanel instances.

The architectural amplifier here is cPanel's role as the dominant shared-hosting control panel. One compromised cPanel server controls every website and database it hosts. A single mid-tier hosting provider running a handful of cPanel servers can expose tens of thousands of unrelated businesses to a single attacker who needs only a login-page request on port 2087 to gain root. The 65-day exploitation window fed that structural reach for two months before the security Community knew to look.

The contrast with the CitrixBleed 3 scenario is instructive. CitrixBleed 3 had a patch available; the question there was whether defenders applied it quickly enough. With CVE-2026-41940, no patch existed while attackers were already inside. The compliance frame is reversed: no KEV listing was possible until WebPros had a fix. A novel actor calling itself 'Sorry' ransomware is now deploying a Go-language Linux encryptor on compromised hosts, capitalising on an already-exploited install base rather than finding its own initial access.⁴ The 65-day window has been pre-populating its target list.

Deep Analysis

In plain English

cPanel is the software that most shared web hosting companies use to let customers manage their websites. When you log in to your hosting provider's control panel to set up email or a database, you are almost certainly using cPanel or a product built on it. A flaw in cPanel, rated at the most severe level on the standard scale, allowed hackers to take over hosting accounts without knowing any password. This flaw was being exploited from 23 February, but no patch was available until 28 April, 65 days later. With roughly 1.5 million exposed cPanel servers on the internet, one successful attack reaches every website, database, and email account hosted on that server, not the server owner alone. A ransomware group called 'Sorry' has now been found using this flaw to encrypt files on compromised servers, locking out their owners.

Deep Analysis

Root Causes

CRLF injection in a login daemon is a class of vulnerability that application security scanners and static analysis tools routinely catch. The cPanel cpsrvd daemon is proprietary code that is not publicly available for independent review, which reduces the pool of researchers likely to examine it outside a formal bug-bounty programme.

WebPros' decision to price access to its bug-bounty programme (cPanel has historically required demonstration of a specific supported installation to qualify for bounty submission) may have constrained the flow of research towards its product. The 65-day window, starting 23 February, preceded WatchTowr Labs' disclosure by over two months, indicating the attacker found the flaw before any external researcher reported it through official channels.

The 'Sorry' ransomware group's adoption of the vulnerability reflects a common pattern: an initial exploitation actor (likely the group that discovered the flaw) runs a quiet access campaign, and secondary threat actors purchase or discover the technique and deploy louder payloads such as ransomware once the initial actor has extracted what it needs.

What could happen next?

Risk
The 65-day exploitation window means hosting providers must treat every cPanel server as potentially already compromised: applying the patch is necessary but retrospective forensic review from 23 February is equally required.
Immediate · 0.9
Consequence
'Sorry' ransomware capitalising on a pre-populated target list from 65 days of quiet exploitation means the secondary attack wave may hit organisations that patched on time but had already been silently compromised.
Short term · 0.8
Precedent
The BSI and CISA dual-listing of CVE-2026-41940 signals growing EU-US regulatory co-ordination on critical hosting-infrastructure vulnerabilities, a pattern that may accelerate NIS2 Article 23 notifications for German and EU hosting providers.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2021, Kaseya VSA (CVE-2021-30116) was exploited by REvil ransomware in a zero-day attack that struck roughly 1,500 downstream businesses through a single MSP platform compromise. Like cPanel, Kaseya VSA was the control plane for customer environments rather than a direct target, meaning one exploitation event propagated through the entire customer base simultaneously.

Counter-parallel: The 2023 MOVEit Transfer zero-day (CVE-2023-34362) was patched by Progress Software within 48 hours of public disclosure, but 2,620 organisations were compromised during the zero-day window. Faster vendor response did not reduce the downstream victim count because the exploitation campaign was already running at scale before the patch existed.

Roughly 1.5 million internet-exposed cPanel instances each host multiple customer websites and databases. A single compromised cPanel server gives an attacker root access to every site it hosts. For shared-hosting providers whose infrastructure runs on cPanel, the liability exposure per compromised server is proportional to the customer base it serves, not the value of the server itself.

The 'Sorry' ransomware Go-language Linux encryptor represents a new cost vector: unlike Windows ransomware that targets end-user data, a Linux encryptor on a hosting control panel targets the databases and file systems of potentially hundreds of unrelated businesses on the same physical host. Recovery requires host-level forensics and per-customer data restoration, with per-customer incident notification obligations under UK GDPR and EU GDPR Article 33.

The BSI's 'very high' criticality rating in Germany signals that EU hosting providers with cPanel deployments face regulatory scrutiny under NIS2 Article 23's 72-hour incident notification requirement.

Consensus view: Rapid7's Caitlin Condon and the Australian Cyber Security Centre both assess the 65-day zero-day window as a systemic failure in the vulnerability co-ordination ecosystem: WatchTowr Labs discovered the flaw and held it under responsible disclosure, but the 65-day exploitation window predates that disclosure, confirming an independent discovery by a threat actor who chose not to report it.

Counter-view: Carnegie Mellon's CERT/CC argues that coordinated disclosure models structurally cannot protect against zero-days that were discovered and weaponised before any researcher reported them, and that the cPanel case illustrates the limits of disclosure timelines as a defence: the 65-day window is an attacker capability problem, not a vendor response problem.

Key tension: Whether WebPros' emergency patch on 28 April represents acceptable vendor response speed once the flaw was reported, or whether the CVSS 9.8 score and 1.5 million exposed instances should have triggered a faster patch-before-coordinated-disclosure protocol.

Sources:CISA·WatchTowr Labs

Mentions:CVE-2023-50224 →CISA →BSI →Known Exploited Vulnerabilities →CitrixBleed 3 →Germany →cPanel & WHM →KnownHost →'Sorry' ransomware →Rapid7 →CRLF →Shodan →WatchTowr →WebPros →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

cPanel zero-day ran 65 days before patch; Sorry ransomware active

One compromised cPanel server controls every website and database it hosts, making mass exploitation a structural property of the flaw rather than a function of attacker sophistication.

Led to

CitrixBleed 3 lands on SAML broker

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 23 Mar 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.