7JUN

cPanel zero-day ran 65 days before patch; Sorry ransomware active

3 min read

10:08UTC

WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

cPanel's 65-day zero-day window, across 1.5 million instances, made every downstream hosting customer a victim before any patch existed.

WatchTowr Labs disclosed CVE-2026-41940, a CRLF (Carriage Return Line Feed) injection in the cPanel & WHM cpsrvd login daemon that lets an unauthenticated attacker write `user=root` into a session and take control of the host without credentials.¹ The severity score is 9.8 out of 10. WebPros, the owner of cPanel, shipped an emergency patch on 28 April; CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalogue on 30 April with a 3 May federal deadline.² Telemetry from hosting provider KnownHost dates active exploitation to 23 February, meaning attackers had 65 days of access before any patch existed.³ Germany's Federal Office for Information Security (BSI) rated the advisory "very high" criticality. Rapid7 and Shodan telemetry counts roughly 1.5 million internet-exposed cPanel instances.

The architectural amplifier here is cPanel's role as the dominant shared-hosting control panel. One compromised cPanel server controls every website and database it hosts. A single mid-tier hosting provider running a handful of cPanel servers can expose tens of thousands of unrelated businesses to a single attacker who needs only a login-page request on port 2087 to gain root. The 65-day exploitation window fed that structural reach for two months before the security Community knew to look.

The contrast with the CitrixBleed 3 scenario is instructive. CitrixBleed 3 had a patch available; the question there was whether defenders applied it quickly enough. With CVE-2026-41940, no patch existed while attackers were already inside. The compliance frame is reversed: no KEV listing was possible until WebPros had a fix. A novel actor calling itself 'Sorry' ransomware is now deploying a Go-language Linux encryptor on compromised hosts, capitalising on an already-exploited install base rather than finding its own initial access.⁴ The 65-day window has been pre-populating its target list.

Deep Analysis

In plain English

cPanel is the software that most shared web hosting companies use to let customers manage their websites. When you log in to your hosting provider's control panel to set up email or a database, you are almost certainly using cPanel or a product built on it. A flaw in cPanel, rated at the most severe level on the standard scale, allowed hackers to take over hosting accounts without knowing any password. This flaw was being exploited from 23 February, but no patch was available until 28 April, 65 days later. With roughly 1.5 million exposed cPanel servers on the internet, one successful attack reaches every website, database, and email account hosted on that server, not the server owner alone. A ransomware group called 'Sorry' has now been found using this flaw to encrypt files on compromised servers, locking out their owners.

Deep Analysis

Root Causes

CRLF injection in a login daemon is a class of vulnerability that application security scanners and static analysis tools routinely catch. The cPanel cpsrvd daemon is proprietary code that is not publicly available for independent review, which reduces the pool of researchers likely to examine it outside a formal bug-bounty programme.

WebPros' decision to price access to its bug-bounty programme (cPanel has historically required demonstration of a specific supported installation to qualify for bounty submission) may have constrained the flow of research towards its product. The 65-day window, starting 23 February, preceded WatchTowr Labs' disclosure by over two months, indicating the attacker found the flaw before any external researcher reported it through official channels.

The 'Sorry' ransomware group's adoption of the vulnerability reflects a common pattern: an initial exploitation actor (likely the group that discovered the flaw) runs a quiet access campaign, and secondary threat actors purchase or discover the technique and deploy louder payloads such as ransomware once the initial actor has extracted what it needs.

What could happen next?

Risk
The 65-day exploitation window means hosting providers must treat every cPanel server as potentially already compromised: applying the patch is necessary but retrospective forensic review from 23 February is equally required.
Immediate · 0.9
Consequence
'Sorry' ransomware capitalising on a pre-populated target list from 65 days of quiet exploitation means the secondary attack wave may hit organisations that patched on time but had already been silently compromised.
Short term · 0.8
Precedent
The BSI and CISA dual-listing of CVE-2026-41940 signals growing EU-US regulatory co-ordination on critical hosting-infrastructure vulnerabilities, a pattern that may accelerate NIS2 Article 23 notifications for German and EU hosting providers.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2021, Kaseya VSA (CVE-2021-30116) was exploited by REvil ransomware in a zero-day attack that struck roughly 1,500 downstream businesses through a single MSP platform compromise. Like cPanel, Kaseya VSA was the control plane for customer environments rather than a direct target, meaning one exploitation event propagated through the entire customer base simultaneously.

Counter-parallel: The 2023 MOVEit Transfer zero-day (CVE-2023-34362) was patched by Progress Software within 48 hours of public disclosure, but 2,620 organisations were compromised during the zero-day window. Faster vendor response did not reduce the downstream victim count because the exploitation campaign was already running at scale before the patch existed.

Roughly 1.5 million internet-exposed cPanel instances each host multiple customer websites and databases. A single compromised cPanel server gives an attacker root access to every site it hosts. For shared-hosting providers whose infrastructure runs on cPanel, the liability exposure per compromised server is proportional to the customer base it serves, not the value of the server itself.

The 'Sorry' ransomware Go-language Linux encryptor represents a new cost vector: unlike Windows ransomware that targets end-user data, a Linux encryptor on a hosting control panel targets the databases and file systems of potentially hundreds of unrelated businesses on the same physical host. Recovery requires host-level forensics and per-customer data restoration, with per-customer incident notification obligations under UK GDPR and EU GDPR Article 33.

The BSI's 'very high' criticality rating in Germany signals that EU hosting providers with cPanel deployments face regulatory scrutiny under NIS2 Article 23's 72-hour incident notification requirement.

Consensus view: Rapid7's Caitlin Condon and the Australian Cyber Security Centre both assess the 65-day zero-day window as a systemic failure in the vulnerability co-ordination ecosystem: WatchTowr Labs discovered the flaw and held it under responsible disclosure, but the 65-day exploitation window predates that disclosure, confirming an independent discovery by a threat actor who chose not to report it.

Counter-view: Carnegie Mellon's CERT/CC argues that coordinated disclosure models structurally cannot protect against zero-days that were discovered and weaponised before any researcher reported them, and that the cPanel case illustrates the limits of disclosure timelines as a defence: the 65-day window is an attacker capability problem, not a vendor response problem.

Key tension: Whether WebPros' emergency patch on 28 April represents acceptable vendor response speed once the flaw was reported, or whether the CVSS 9.8 score and 1.5 million exposed instances should have triggered a faster patch-before-coordinated-disclosure protocol.

Sources:CISA·WatchTowr Labs

Mentions:CVE-2023-50224 →CISA →BSI →Known Exploited Vulnerabilities →CitrixBleed 3 →Germany →cPanel & WHM →KnownHost →'Sorry' ransomware →Rapid7 →CRLF →Shodan →WatchTowr →WebPros →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

cPanel zero-day ran 65 days before patch; Sorry ransomware active

One compromised cPanel server controls every website and database it hosts, making mass exploitation a structural property of the flaw rather than a function of attacker sophistication.

Led to

CitrixBleed 3 lands on SAML broker

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 23 Mar 2026

Read story →

Magento RCE forces 9-day patch race

The cPanel zero-day ran for 65 days before disclosure (ID:3125); the Magento flaw compresses the risk window to nine days between patch and federal mandate, making the squeeze the short patch-to-enforcement gap rather than a disclosure lag.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.