Multiple threat actors began exploiting CVE-2026-41940, a critical authentication bypass in cPanel and WebHost Manager (WHM), within 24 hours of a public proof-of-concept being published. Initial exploitation was detected on May 2, 2026, with attackers deploying ransomware, botnet malware, and command-and-control frameworks against government agencies, military domains, and managed service providers across five countries.
How CVE-2026-41940 Allows Unauthenticated Privilege Escalation in cPanel and WHM
CVE-2026-41940 is an authentication bypass vulnerability affecting all supported versions of cPanel and WHM. The flaw allows a remote, unauthenticated attacker to gain elevated control of the hosting control panel — effectively administrator-level access — without presenting valid credentials. The vulnerability was disclosed in April 2026; exploitation began on May 2 after public proof-of-concept code appeared online.
Attacks originated from IP address 95.111.250[.]175, according to threat intelligence sources cited by Help Net Security. The weaponization timeline — from PoC publication to active exploitation in under 24 hours — matches a pattern observed across other recent critical-severity hosting-platform vulnerabilities.
Peak Exploitation: 44,000 Compromised IPs Observed Before Cleanup Began
Exploitation volume peaked at approximately 44,000 compromised IP addresses observed on April 30, 2026, dropping to roughly 3,540 by May 3 as emergency cleanup efforts and automated response systems processed affected hosts, according to Help Net Security. The rapid decline in compromised IPs reflects both remediation activity and the opportunistic scanning behavior characteristic of botnet operators, who typically prioritize newly discovered vulnerable hosts before moving on.
Sorry Ransomware, AdaptixC2, and Mirai Variants Deployed Across Victims
Attackers deployed at least three distinct malware families depending on the target. The “Sorry” ransomware — a Go-based Linux encryptor that appends the .sorry extension to encrypted files — was deployed against servers. The AdaptixC2 post-exploitation framework was used to establish persistent command-and-control access. Mirai botnet variants were also observed, consistent with opportunistic exploitation of internet-accessible servers. Attackers additionally deployed OpenVPN and the Ligolo tunneling tool to maintain persistent network access following initial compromise.
Targets: Philippine and Laotian Government Domains, MSPs in Five Countries
Primary targets identified in early exploitation activity included government and military domains in the Philippines and Laos, according to threat intelligence reporting. Additional victims span managed service providers and hosting companies in the Philippines, Laos, Canada, South Africa, and the United States, according to Help Net Security and Cybersecurity Dive.
The targeting of MSPs carries compounding risk: a single compromised MSP may manage hosting environments for dozens or hundreds of client organizations. Attackers who gain cPanel administrator access through CVE-2026-41940 can access all hosted accounts on a server, not just the MSP’s own infrastructure.
Why MSP Compromise Through cPanel CVE-2026-41940 Creates Cascading Exposure
An authentication bypass at the cPanel level grants control over the entire hosting environment managed by that panel — including client websites, email accounts, databases, and file systems. For MSPs operating shared hosting infrastructure, a single compromised cPanel instance can expose all accounts on that server simultaneously. The deployment of persistent access tools including OpenVPN and Ligolo suggests attackers intended to maintain long-term footholds rather than conduct purely opportunistic ransomware drops.
The Go-based Sorry ransomware is specifically engineered for Linux server environments, targeting the server operating systems that underpin most cPanel deployments. Its use alongside a C2 framework indicates some attackers were conducting staged operations — establishing control before encrypting systems — rather than deploying ransomware immediately on access.
Patch Status and cPanel’s Response to CVE-2026-41940
cPanel released a detection script and a full patch for CVE-2026-41940 following confirmed exploitation. All cPanel and WHM deployments running supported versions are affected; no version or configuration has been identified as inherently protected against the authentication bypass.
Given the 24-hour weaponization timeline observed with this vulnerability, unpatched cPanel and WHM installations face active exploitation risk from multiple independent threat actors operating simultaneously. The volume of observed compromised IPs — even after significant cleanup — indicates the attack surface remains meaningful.
