14JUN

cPanel zero-day ran 65 days before patch; Sorry ransomware active

3 min read

11:51UTC

WatchTowr Labs confirmed CVE-2026-41940 in cPanel ran as a true zero-day from 23 February until WebPros shipped a patch on 28 April, with roughly 1.5 million internet-exposed instances. A novel actor calling itself 'Sorry' ransomware is deploying a Go-language Linux encryptor on compromised hosts.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

cPanel's 65-day zero-day window, across 1.5 million instances, made every downstream hosting customer a victim before any patch existed.

WatchTowr Labs disclosed CVE-2026-41940, a CRLF (Carriage Return Line Feed) injection in the cPanel & WHM cpsrvd login daemon that lets an unauthenticated attacker write `user=root` into a session and take control of the host without credentials.¹ The severity score is 9.8 out of 10. WebPros, the owner of cPanel, shipped an emergency patch on 28 April; CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalogue on 30 April with a 3 May federal deadline.² Telemetry from hosting provider KnownHost dates active exploitation to 23 February, meaning attackers had 65 days of access before any patch existed.³ Germany's Federal Office for Information Security (BSI) rated the advisory "very high" criticality. Rapid7 and Shodan telemetry counts roughly 1.5 million internet-exposed cPanel instances.

The architectural amplifier here is cPanel's role as the dominant shared-hosting control panel. One compromised cPanel server controls every website and database it hosts. A single mid-tier hosting provider running a handful of cPanel servers can expose tens of thousands of unrelated businesses to a single attacker who needs only a login-page request on port 2087 to gain root. The 65-day exploitation window fed that structural reach for two months before the security Community knew to look.

The contrast with the CitrixBleed 3 scenario is instructive. CitrixBleed 3 had a patch available; the question there was whether defenders applied it quickly enough. With CVE-2026-41940, no patch existed while attackers were already inside. The compliance frame is reversed: no KEV listing was possible until WebPros had a fix. A novel actor calling itself 'Sorry' ransomware is now deploying a Go-language Linux encryptor on compromised hosts, capitalising on an already-exploited install base rather than finding its own initial access.⁴ The 65-day window has been pre-populating its target list.

Deep Analysis

In plain English

cPanel is the software that most shared web hosting companies use to let customers manage their websites. When you log in to your hosting provider's control panel to set up email or a database, you are almost certainly using cPanel or a product built on it. A flaw in cPanel, rated at the most severe level on the standard scale, allowed hackers to take over hosting accounts without knowing any password. This flaw was being exploited from 23 February, but no patch was available until 28 April, 65 days later. With roughly 1.5 million exposed cPanel servers on the internet, one successful attack reaches every website, database, and email account hosted on that server, not the server owner alone. A ransomware group called 'Sorry' has now been found using this flaw to encrypt files on compromised servers, locking out their owners.

Deep Analysis

Root Causes

CRLF injection in a login daemon is a class of vulnerability that application security scanners and static analysis tools routinely catch. The cPanel cpsrvd daemon is proprietary code that is not publicly available for independent review, which reduces the pool of researchers likely to examine it outside a formal bug-bounty programme.

WebPros' decision to price access to its bug-bounty programme (cPanel has historically required demonstration of a specific supported installation to qualify for bounty submission) may have constrained the flow of research towards its product. The 65-day window, starting 23 February, preceded WatchTowr Labs' disclosure by over two months, indicating the attacker found the flaw before any external researcher reported it through official channels.

The 'Sorry' ransomware group's adoption of the vulnerability reflects a common pattern: an initial exploitation actor (likely the group that discovered the flaw) runs a quiet access campaign, and secondary threat actors purchase or discover the technique and deploy louder payloads such as ransomware once the initial actor has extracted what it needs.

What could happen next?

Risk
The 65-day exploitation window means hosting providers must treat every cPanel server as potentially already compromised: applying the patch is necessary but retrospective forensic review from 23 February is equally required.
Immediate · 0.9
Consequence
'Sorry' ransomware capitalising on a pre-populated target list from 65 days of quiet exploitation means the secondary attack wave may hit organisations that patched on time but had already been silently compromised.
Short term · 0.8
Precedent
The BSI and CISA dual-listing of CVE-2026-41940 signals growing EU-US regulatory co-ordination on critical hosting-infrastructure vulnerabilities, a pattern that may accelerate NIS2 Article 23 notifications for German and EU hosting providers.
Medium term · 0.65

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2021, Kaseya VSA (CVE-2021-30116) was exploited by REvil ransomware in a zero-day attack that struck roughly 1,500 downstream businesses through a single MSP platform compromise. Like cPanel, Kaseya VSA was the control plane for customer environments rather than a direct target, meaning one exploitation event propagated through the entire customer base simultaneously.

Counter-parallel: The 2023 MOVEit Transfer zero-day (CVE-2023-34362) was patched by Progress Software within 48 hours of public disclosure, but 2,620 organisations were compromised during the zero-day window. Faster vendor response did not reduce the downstream victim count because the exploitation campaign was already running at scale before the patch existed.

Roughly 1.5 million internet-exposed cPanel instances each host multiple customer websites and databases. A single compromised cPanel server gives an attacker root access to every site it hosts. For shared-hosting providers whose infrastructure runs on cPanel, the liability exposure per compromised server is proportional to the customer base it serves, not the value of the server itself.

The 'Sorry' ransomware Go-language Linux encryptor represents a new cost vector: unlike Windows ransomware that targets end-user data, a Linux encryptor on a hosting control panel targets the databases and file systems of potentially hundreds of unrelated businesses on the same physical host. Recovery requires host-level forensics and per-customer data restoration, with per-customer incident notification obligations under UK GDPR and EU GDPR Article 33.

The BSI's 'very high' criticality rating in Germany signals that EU hosting providers with cPanel deployments face regulatory scrutiny under NIS2 Article 23's 72-hour incident notification requirement.

Consensus view: Rapid7's Caitlin Condon and the Australian Cyber Security Centre both assess the 65-day zero-day window as a systemic failure in the vulnerability co-ordination ecosystem: WatchTowr Labs discovered the flaw and held it under responsible disclosure, but the 65-day exploitation window predates that disclosure, confirming an independent discovery by a threat actor who chose not to report it.

Counter-view: Carnegie Mellon's CERT/CC argues that coordinated disclosure models structurally cannot protect against zero-days that were discovered and weaponised before any researcher reported them, and that the cPanel case illustrates the limits of disclosure timelines as a defence: the 65-day window is an attacker capability problem, not a vendor response problem.

Key tension: Whether WebPros' emergency patch on 28 April represents acceptable vendor response speed once the flaw was reported, or whether the CVSS 9.8 score and 1.5 million exposed instances should have triggered a faster patch-before-coordinated-disclosure protocol.

Sources:CISA·WatchTowr Labs

Mentions:CVE-2023-50224 →CISA →BSI →Known Exploited Vulnerabilities →CitrixBleed 3 →Germany →cPanel & WHM →KnownHost →'Sorry' ransomware →Rapid7 →CRLF →Shodan →WatchTowr →WebPros →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

cPanel zero-day ran 65 days before patch; Sorry ransomware active

One compromised cPanel server controls every website and database it hosts, making mass exploitation a structural property of the flaw rather than a function of attacker sophistication.

Led to

CitrixBleed 3 lands on SAML broker

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 23 Mar 2026

Read story →

Magento RCE forces 9-day patch race

The cPanel zero-day ran for 65 days before disclosure (ID:3125); the Magento flaw compresses the risk window to nine days between patch and federal mandate, making the squeeze the short patch-to-enforcement gap rather than a disclosure lag.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.