By ByteBot
cPanel’s worst security crisis unfolded over the last 10 days. CVE-2026-41940—a critical authentication bypass vulnerability (CVSS 9.8)—was exploited as a zero-day for two months before patches were released on April 28. At least 44,000 servers were compromised, with 7,135 confirmed to have .sorry ransomware deployed, affecting an estimated 70 million hosted websites. On May 8, cPanel quietly released a second emergency security patch addressing three additional vulnerabilities. The community now calls this “cPanel’s Black Week.”
Two Months of Silent Exploitation
The timeline exposes serious gaps in cPanel’s security posture. Attackers began exploiting CVE-2026-41940 on February 23, 2026—a full 65 days before cPanel released its first emergency patch on April 28. By April 30, Shadowserver Foundation reported 44,000 compromised IP addresses actively scanning and brute-forcing additional targets. Furthermore, just 10 days after the initial patch, cPanel issued a second emergency security release on May 8, addressing three more CVEs (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203), two scoring CVSS 8.8.
The rapid succession of critical patches raises uncomfortable questions. Why didn’t cPanel detect two months of exploitation in their own logs? Was the initial patch rushed or incomplete? Security researchers at Panelica note: “Two emergency Technical Security Releases (TSRs) in 10 days suggests the first response may have been rushed.” Consequently, for sysadmins, this means even patched servers may have been compromised during the February-April zero-day window and require forensic analysis.
How the Attack Works: CRLF Injection Meets Encryption Bypass
The vulnerability chains two separate flaws in cPanel’s session handling. First, attackers exploit a CRLF injection in cPanel’s session writer. The service daemon (cpsrvd) writes new session files to disk before authentication completes. By injecting Carriage Return Line Feed (\r\n) sequences into user-controlled input, attackers insert arbitrary key-value pairs—specifically, cp_auth=1 authentication flags—into session files.
Second, attackers trigger an encryption bypass by manipulating the whostmgrsession cookie, omitting expected segments. This causes cpsrvd to skip normal encryption when writing the session file. The result: unauthenticated attackers gain full root/admin access without ever providing credentials. As security firm Rapid7 explains: “An attacker can craft a request that, when processed by cPanel, writes a session file containing cp_auth=1 before authentication occurs. cPanel then treats this session as fully authenticated.”
The scale of compromise is staggering. Shadowserver Foundation tracked 44,000 compromised IP addresses by April 30. Moreover, Censys Research identified 7,135 servers with .sorry ransomware artifacts—a Go-based Linux encryptor using ChaCha20 encryption with RSA-2048 key protection. The ransomware appends .sorry extensions to encrypted files and drops a README.md ransom note directing victims to a Tox contact for negotiation. With approximately 1.5 million vulnerable cPanel servers globally, an estimated 70 million hosted domains were at risk.
Government Targets and Nation-State Implications
Beyond opportunistic ransomware, sophisticated threat actors targeted government and military entities in Southeast Asia. Ctrl-Alt-Intel researchers detected attacks from IP address 95.111.250[.]175 targeting government and military domains in the Philippines and Laos, along with managed service providers (MSPs) and hosting companies in Canada, South Africa, and the United States. These weren’t automated mass exploits—they were interactive, custom exploit chains.
Attackers exfiltrated approximately 4GB of sensitive data, including Chinese railway-sector documents from an Indonesian defense training portal. After initial compromise via CVE-2026-41940, they established persistent access using OpenVPN backdoors, Ligolo reverse proxies, and systemd services for automatic persistence. Consequently, this elevates cPanel vulnerabilities from a hosting inconvenience to a national security threat. MSP compromises create supply chain risks: one MSP breach potentially exposes hundreds of downstream customer environments.
Patch Now, Hunt for Backdoors, Don’t Trust WAFs Alone
Patching alone is insufficient—admins must hunt for indicators of compromise from the February-April zero-day window. Update immediately to patched versions: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Then inspect session files (located in /var/cpanel/sessions/) for premature cp_auth=1 flags, audit WHM access logs for unusual February-May activity, scan for .sorry encrypted files, check for unauthorized SSH keys, and review systemd services for persistence mechanisms.
WAF vendors including Cloudflare, Imperva, and BitNinja deployed emergency protection rules on April 30. However, these are temporary mitigations, not fixes. Cloudflare’s security team was explicit: “WAF protection is NOT a substitute for patching. The only complete remediation is applying the vendor update.” WAFs cannot fix the underlying session-handling flaw. Attackers may have already left backdoors during the two-month zero-day window, and WAFs won’t detect post-exploitation persistence.
Key Takeaways
- Update immediately to patched cPanel versions (11.110.0.97+, 11.118.0.63+, 11.126.0.54+, 11.132.0.29+, 11.134.0.20+, 11.136.0.5+)
- Check for compromise from February-April 2026: inspect session files, audit WHM logs, scan for .sorry ransomware artifacts, review SSH keys and systemd services
- Don’t rely on WAFs alone—they’re temporary mitigations, not substitutes for patching the root cause
- Evaluate control panel risk—cPanel’s “Black Week” highlights systemic risks of centralized hosting infrastructure managing 70 million domains
