CVE-2026-41940: Critical cPanel Flaw Mass-Exploited in 'Sorry' Ransomware Attacks — Detection and Remediation

A critical vulnerability in cPanel & WHM software, tracked as CVE-2026-41940, is currently being mass-exploited in the wild. Active campaigns are leveraging this flaw to deliver a new ransomware strain dubbed "Sorry," which encrypts web hosting data and leaves ransom notes on compromised servers.

For defenders, this is not a theoretical risk. CVE-2026-41940 allows unauthenticated remote code execution (RCE) on affected versions of cPanel. Given cPanel's dominance in the web hosting market, this vulnerability presents a significant attack surface for supply-chain attacks, affecting shared hosting providers, managed service providers, and individual businesses alike. If you manage cPanel instances, your risk of imminent compromise is high.

Technical Analysis

Affected Products:

• cPanel & WHM software versions prior to 118.0.0 (specific branches vary, see vendor advisory).
• Platforms: Linux distributions including CentOS 7, CloudLinux 7, AlmaLinux 8, and Rocky Linux 8.

Vulnerability Details:

• CVE ID: CVE-2026-41940
• CVSS Score: 9.8 (Critical)
• Vulnerability Class: Remote Code Execution (RCE)

Attack Chain:

1. Initial Access: Attackers scan for cPanel ports (2082/2083/2086/2087). They exploit CVE-2026-41940 to bypass authentication or inject code via vulnerable API endpoints.
2. Execution: The exploit spawns a reverse shell or executes a bash script directly with nobody or root privileges, depending on the specific configuration.
3. Payload Delivery: The script downloads the "Sorry" ransomware binary from a remote command and control (C2) server.
4. Impact: The ransomware enumerates mounted file systems (often including secondary storage drives) and encrypts web files, databases, and backups. Files are appended with a specific extension (e.g., .sorry) or a random hex extension depending on the variant configuration.

Exploitation Status:

• Confirmed Active Exploitation: Yes. Mass exploitation campaigns are ongoing.
• CISA KEV: Expected to be added imminently given the severity.

Detection & Response

Defenders must assume that scanning activity is already occurring. Below are detection mechanisms to identify successful exploitation and the subsequent ransomware activity.

Sigma Rules

The following rules target the suspicious process execution patterns associated with the "Sorry" ransomware and the web-shell activity often seen following CVE-2026-41940 exploitation.

---
title: Potential cPanel CVE-2026-41940 Exploitation - Web Shell Spawn
id: 8a2c1e55-9f3d-4b2a-8c1d-9e5f6a7b8c9d
status: experimental
description: Detects potential exploitation of cPanel RCE (CVE-2026-41940) via suspicious process spawning by the web server user (nobody or cpanel user).
references:
  - https://docs.cpanel.net/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.41940
logsource:
  product: linux
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '/usr/sbin/httpd'
      - '/usr/sbin/apache2'
      - '/usr/local/cpanel/bin/cpsrvd'
  selection_child:
    Image|endswith:
      - '/bin/bash'
      - '/bin/sh'
      - '/bin/perl'
      - '/usr/bin/python'
      - '/usr/bin/php'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts executed via web interface
level: high
---
title: Sorry Ransomware Execution
id: 3b4d5e6f-7g8h-9i0j-1k2l-3m4n5o6p7q8r
status: experimental
description: Detects the execution of binaries or scripts associated with the "Sorry" ransomware observed in CVE-2026-41940 exploitation chains.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1486
logsource:
  product: linux
  category: process_creation
detection:
  selection_img:
    Image|contains:
      - 'sorry'
      - 'encrypt'
      - 'lock'
      - '/tmp/.X11' # Common hiding spot for web shells/payloads
  selection_cli:
    CommandLine|contains:
      - '--encrypt'
      - '-k '
      - 'rsa'
  condition: 1 of selection_*
falsepositives:
  - Legitimate administration tools named similarly (rare)
level: critical

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for process creation events indicative of the ransomware or the exploit chain. This targets DeviceProcessEvents (Microsoft Defender for Endpoint) or Syslog (Linux auditd forwarding).

// Hunt for Sorry Ransomware and cPanel Exploitation indicators
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine has_all ("encrypt", "--key") 
        or ProcessCommandLine has "-k " 
        or FileName has "sorry" 
        or ProcessVersionInfoOriginalFileName contains "sorry")
| extend AccountCustom = strcat(AccountDomain, "\\", AccountName)
| project Timestamp, DeviceName, AccountCustom, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the ransomware binary in common execution paths and checks for recently modified files with suspicious extensions associated with the "Sorry" ransomware.

-- Hunt for Sorry Ransomware artifacts
SELECT 
  FullPath, 
  Size, 
  Mtime, 
  Mode.String AS Perms
FROM glob(globs=["/tmp/sorry", "/var/tmp/sorry", "/dev/shm/sorry", "/home/*/public_html/*/.sorry*"])
WHERE Mtime > now() - 7d

-- Hunt for suspicious processes spawned by web server users
SELECT 
  Pid, 
  Ppid, 
  Name, 
  CommandLine, 
  Username, 
  Ctime
FROM pslist()
WHERE Name IN ("bash", "sh", "perl", "python3") 
  AND Username IN ("nobody", "apache", "www-data", "cpanel")
  AND CommandLine =~ "(curl|wget|nc|perl -e|python -c)"

Remediation Script (Bash)

This script checks the cPanel version against the patched versions (simulated check for the context of CVE-2026-41940) and forces an update if necessary. Note: Always test update scripts in a staging environment first.

#!/bin/bash
# CVE-2026-41940 Emergency Remediation Script
# Checks cPanel version and forces update to patched build.

LOG_FILE="/var/log/cpanel_remediation.log"
REQUIRED_VERSION="118.0.0"

echo "[$(date)] Starting remediation for CVE-2026-41940" >> $LOG_FILE

# Check if running as root
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" >&2
   exit 1
fi

# Get current cPanel version
CURRENT_VERSION=$( /usr/local/cpanel/cpanel -V )
echo "[$(date)] Current cPanel version: $CURRENT_VERSION" >> $LOG_FILE

# Function to compare versions (simplified)
# In production, use a robust version comparison logic
if [[ "$CURRENT_VERSION" < "$REQUIRED_VERSION" ]]; then
    echo "[$(date)] Version is vulnerable. Initiating forced update..." >> $LOG_FILE
    
    # Execute cPanel update script
    # /scripts/upcp is the standard updater
    /usr/local/cpanel/scripts/upcp --force
    
    if [ $? -eq 0 ]; then
        echo "[$(date)] Update completed successfully." >> $LOG_FILE
        echo "Please verify the version manually."
    else
        echo "[$(date)] Update failed. Check /var/log/cpanel-install.log" >> $LOG_FILE
    fi
else
    echo "[$(date)] System version $CURRENT_VERSION meets the minimum requirement $REQUIRED_VERSION." >> $LOG_FILE
fi

echo "[$(date)] Remediation script finished." >> $LOG_FILE

Remediation

Given the active exploitation status, patching must be treated as an emergency activity.

1. Immediate Patching: Update to the latest stable release of cPanel & WHM immediately. Vendors have released patches addressing CVE-2026-41940 in branches 11.118 and 11.120.
   • Action: Run /usr/local/cpanel/scripts/upcp --force via SSH.
2. Verify Patch: After the update, verify the version in the WHM interface "Server Status" or via CLI /usr/local/cpanel/cpanel -V.
3. Incident Response Check: If exploitation is suspected:
   • Isolate affected servers from the network immediately.
   • Check for the presence of /tmp/sorry or /tmp/.X11 (web shell).
   • Review /usr/local/cpanel/logs/access_log and /usr/local/apache/logs/error_log for anomalous POST requests to cpsrvd or -api endpoints around the time of compromise.
4. Backup Validation: Ensure offline, immutable backups are available. Do not rely on local backups that may have been encrypted or deleted by the "Sorry" ransomware.
5. Vendor Advisory: Monitor the official cPanel Security Advisory for the specific patched versions corresponding to your support tier.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub