A critical authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel is being actively exploited by multiple threat actors to breach servers, deploy ransomware like "Sorry," and deface websites. Affected versions include cPanel 11.40 through versions below 86.0.41, 88.0.0 through versions below 110.0.97, 112.0.0 through versions below 118.0.63, 120.0.0 through versions below 126.0.54, and 128.0.0 through versions below 130.0.19. The vulnerability is fixed in multiple specific versions, including 86.0.41, 110.0.97, 118.0.63, 126.0.54, 130.0.19, 132.0.29, 134.0.20, 136.0.5, and 136.1.7.
The situation around the critical cPanel authentication bypass vulnerability (CVE-2026-41940) has deteriorated significantly since our initial coverage. Exploratory probing has evolved into multi-actor exploitation, leading to disrupted websites, ransomware and malware deployment, and targeted attacks. “Sorry” ransomware Attackers have taken advantage of CVE-2026-41940 to mass-exploit vulnerable internet-facing cPanel instances to breach servers, deface websites and encrypt data. The ransomware used in some of the attacks is a Go(Lang)-based Linux encryptor that encrypts files and appends … More → The post Multiple threat actors actively exploit cPanel vulnerability (CVE-2026-41940) appeared first on Help Net Security .