29MAY

cPanel zero-day ran 65 days before patch; Sorry ransomware active

3 min read

14:17UTC

WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

cPanel's 65-day zero-day window, across 1.5 million instances, made every downstream hosting customer a victim before any patch existed.

WatchTowr Labs disclosed CVE-2026-41940, a CRLF (Carriage Return Line Feed) injection in the cPanel & WHM cpsrvd login daemon that lets an unauthenticated attacker write `user=root` into a session and take control of the host without credentials.¹ The severity score is 9.8 out of 10. WebPros, the owner of cPanel, shipped an emergency patch on 28 April; CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalogue on 30 April with a 3 May federal deadline.² Telemetry from hosting provider KnownHost dates active exploitation to 23 February, meaning attackers had 65 days of access before any patch existed.³ Germany's Federal Office for Information Security (BSI) rated the advisory "very high" criticality. Rapid7 and Shodan telemetry counts roughly 1.5 million internet-exposed cPanel instances.

The architectural amplifier here is cPanel's role as the dominant shared-hosting control panel. One compromised cPanel server controls every website and database it hosts. A single mid-tier hosting provider running a handful of cPanel servers can expose tens of thousands of unrelated businesses to a single attacker who needs only a login-page request on port 2087 to gain root. The 65-day exploitation window fed that structural reach for two months before the security community knew to look.

The contrast with the CitrixBleed 3 scenario is instructive. CitrixBleed 3 had a patch available; the question there was whether defenders applied it quickly enough. With CVE-2026-41940, no patch existed while attackers were already inside. The compliance frame is reversed: no KEV listing was possible until WebPros had a fix. A novel actor calling itself 'Sorry' ransomware is now deploying a Go-language Linux encryptor on compromised hosts, capitalising on an already-exploited install base rather than finding its own initial access.⁴ The 65-day window has been pre-populating its target list.

Deep Analysis

In plain English

cPanel is the software that most shared web hosting companies use to let customers manage their websites. When you log in to your hosting provider's control panel to set up email or a database, you are almost certainly using cPanel or a product built on it. A flaw in cPanel, rated at the most severe level on the standard scale, allowed hackers to take over hosting accounts without knowing any password. This flaw was being exploited from 23 February, but no patch was available until 28 April, 65 days later. With roughly 1.5 million exposed cPanel servers on the internet, one successful attack reaches every website, database, and email account hosted on that server, not the server owner alone. A ransomware group called 'Sorry' has now been found using this flaw to encrypt files on compromised servers, locking out their owners.

Deep Analysis

Root Causes

CRLF injection in a login daemon is a class of vulnerability that application security scanners and static analysis tools routinely catch. The cPanel cpsrvd daemon is proprietary code that is not publicly available for independent review, which reduces the pool of researchers likely to examine it outside a formal bug-bounty programme.

WebPros' decision to price access to its bug-bounty programme (cPanel has historically required demonstration of a specific supported installation to qualify for bounty submission) may have constrained the flow of research towards its product. The 65-day window, starting 23 February, preceded WatchTowr Labs' disclosure by over two months, indicating the attacker found the flaw before any external researcher reported it through official channels.

The 'Sorry' ransomware group's adoption of the vulnerability reflects a common pattern: an initial exploitation actor (likely the group that discovered the flaw) runs a quiet access campaign, and secondary threat actors purchase or discover the technique and deploy louder payloads such as ransomware once the initial actor has extracted what it needs.

What could happen next?

Risk
The 65-day exploitation window means hosting providers must treat every cPanel server as potentially already compromised: applying the patch is necessary but retrospective forensic review from 23 February is equally required.
Immediate · 0.9
Consequence
'Sorry' ransomware capitalising on a pre-populated target list from 65 days of quiet exploitation means the secondary attack wave may hit organisations that patched on time but had already been silently compromised.
Short term · 0.8
Precedent
The BSI and CISA dual-listing of CVE-2026-41940 signals growing EU-US regulatory co-ordination on critical hosting-infrastructure vulnerabilities, a pattern that may accelerate NIS2 Article 23 notifications for German and EU hosting providers.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2021, Kaseya VSA (CVE-2021-30116) was exploited by REvil ransomware in a zero-day attack that struck roughly 1,500 downstream businesses through a single MSP platform compromise. Like cPanel, Kaseya VSA was the control plane for customer environments rather than a direct target, meaning one exploitation event propagated through the entire customer base simultaneously.

Counter-parallel: The 2023 MOVEit Transfer zero-day (CVE-2023-34362) was patched by Progress Software within 48 hours of public disclosure, but 2,620 organisations were compromised during the zero-day window. Faster vendor response did not reduce the downstream victim count because the exploitation campaign was already running at scale before the patch existed.

Roughly 1.5 million internet-exposed cPanel instances each host multiple customer websites and databases. A single compromised cPanel server gives an attacker root access to every site it hosts. For shared-hosting providers whose infrastructure runs on cPanel, the liability exposure per compromised server is proportional to the customer base it serves, not the value of the server itself.

The 'Sorry' ransomware Go-language Linux encryptor represents a new cost vector: unlike Windows ransomware that targets end-user data, a Linux encryptor on a hosting control panel targets the databases and file systems of potentially hundreds of unrelated businesses on the same physical host. Recovery requires host-level forensics and per-customer data restoration, with per-customer incident notification obligations under UK GDPR and EU GDPR Article 33.

The BSI's 'very high' criticality rating in Germany signals that EU hosting providers with cPanel deployments face regulatory scrutiny under NIS2 Article 23's 72-hour incident notification requirement.

Consensus view: Rapid7's Caitlin Condon and the Australian Cyber Security Centre both assess the 65-day zero-day window as a systemic failure in the vulnerability co-ordination ecosystem: WatchTowr Labs discovered the flaw and held it under responsible disclosure, but the 65-day exploitation window predates that disclosure, confirming an independent discovery by a threat actor who chose not to report it.

Counter-view: Carnegie Mellon's CERT/CC argues that coordinated disclosure models structurally cannot protect against zero-days that were discovered and weaponised before any researcher reported them, and that the cPanel case illustrates the limits of disclosure timelines as a defence: the 65-day window is an attacker capability problem, not a vendor response problem.

Key tension: Whether WebPros' emergency patch on 28 April represents acceptable vendor response speed once the flaw was reported, or whether the CVSS 9.8 score and 1.5 million exposed instances should have triggered a faster patch-before-coordinated-disclosure protocol.

Sources:CISA·WatchTowr Labs

Mentions:CVE-2023-50224 →CISA →BSI →Known Exploited Vulnerabilities →CitrixBleed 3 →Germany →cPanel & WHM →KnownHost →'Sorry' ransomware →Rapid7 →CRLF →Shodan →WatchTowr →WebPros →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

cPanel zero-day ran 65 days before patch; Sorry ransomware active

One compromised cPanel server controls every website and database it hosts, making mass exploitation a structural property of the flaw rather than a function of attacker sophistication.

Led to

CitrixBleed 3 lands on SAML broker

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 23 Mar 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.