cPanel Vulnerability Exploited in Mass Ransomware Campaign
A newly disclosed critical flaw in cPanel is being actively exploited to breach websites and deploy 'Sorry' ransomware across multiple targets.
A critical vulnerability in cPanel, tracked as CVE-2026-41940, is under active mass exploitation by threat actors deploying ransomware identified as 'Sorry.' The flaw allows attackers to breach websites hosted on affected cPanel installations and encrypt data.
The vulnerability's severity and the scale of exploitation suggest attackers are targeting web hosting environments where cPanel is widely deployed. cPanel is used by millions of websites globally, making the attack surface substantial. The 'Sorry' ransomware campaign appears coordinated, with multiple breaches reported in a compressed timeframe.
The disclosure timing indicates the flaw may have been exploited as a zero-day before public acknowledgment. Organizations running cPanel infrastructure face immediate risk if patches have not been applied. The ransomware's naming convention — 'Sorry' — follows recent trends of threat actors using ironic or apologetic branding.
- 01Web hosting providers face immediate breach risk if cPanel instances remain unpatched.
- 02Website owners on shared hosting may experience data loss or service disruption.
- 03Security teams must audit cPanel deployments and monitor for ransomware indicators.
- 04Delayed patch availability extends exposure window for mass exploitation.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.