cPanel Flaw: What the 'Sorry' Ransomware Attacks Mean for Shared Hosting
cpanelsorry ransomwarecve-2026-41940shodanqtoxcybersecurityransomwarezero-dayshared hostinglinuxweb securitysysadmin

cPanel Flaw: What the 'Sorry' Ransomware Attacks Mean for Shared Hosting

By Daniel MarshMay 2, 2026

It's May 2, 2026, and if you're running cPanel, you're probably still reeling from the "Sorry" ransomware attacks. The frustration in the sysadmin community is palpable. We're talking about a critical cPanel flaw, CVE-2026-41940, that was actively exploited for over two months before a patch even landed. Two months. That's a lifetime in security, and it gave attackers a wide-open door to what many are calling the "keys to the kingdom" on Linux web servers.

cPanel's Zero-Day: What "Sorry" Ransomware Tells Us About Shared Hosting's Future

This isn't just another vulnerability. This is a stark reminder of how fragile our web infrastructure can be, especially when a single piece of software like cPanel sits at the heart of millions of domains. This particular cPanel flaw exposed the deep risks of centralized hosting management. The mainstream narrative focuses on the patch for this cPanel flaw, but that's only part of the story. The real problem here goes deeper, into the architecture of shared hosting and the evolving tactics of ransomware groups.

How a CRLF Injection Became Root: Understanding the cPanel Flaw

Here's what actually happened, step by step. The "Sorry" ransomware crew exploited a critical cPanel flaw, an authentication bypass in cPanel's session handling mechanism. It all started with a clever CRLF (Carriage Return Line Feed) injection.

First, the attackers crafted a malicious HTTP Basic authorization header. This header wasn't just for authentication; it contained specially placed CRLF characters. When cPanel's `cpsrvd` daemon processed this unsanitized input, it didn't just read the header; it wrote those CRLF characters directly into the session file.

Think of it like this: `cpsrvd` was supposed to write a clean line in a logbook, but the attacker slipped in extra lines that looked like legitimate entries.

After that, the session file was poisoned. The injected CRLF characters let the attackers inject arbitrary data into the session file. Specifically, they added `user=root`, `hasroot=1`, and `tfa_verified=1`. This effectively tricked cPanel into thinking the unauthenticated attacker was a verified root user.

That's it. Privilege escalation to root, done.

And to make things worse, they even tried to cover their tracks. The attack chain included a falsified log entry: "FAILED LOGIN whostmgrd: user password incorrect." This is a classic SIEM evasion tactic, designed to make a successful root login look like a failed attempt, pushing it down the priority list for any analyst looking at logs. I've seen this kind of misdirection before, and it's effective if you're not looking closely.

The Blast Radius and Why a Patch Isn't Enough

The impact of this cPanel flaw is staggering. We're talking about thousands of Linux servers encrypted, affecting an estimated 70 million domains globally. Shodan scans showed around 1.5 million internet-exposed cPanel instances when this came to light. By May 1, roughly 80% of newly identified malicious hosts were running cPanel/WHM, with about 15,000 cPanel systems flagged as malicious in a single day. That's a flood.

Dimly lit server room with blinking LEDs, illustrating the widespread compromise from the cPanel flaw

The "Sorry" ransomware encrypts files with a `.sorry` extension and drops a `README.md` ransom note. There's no public decryption utility, and the attackers are using qTox for communication, which is a peer-to-peer, end-to-end encrypted messaging app. This makes tracking and negotiation incredibly difficult.

But here's the part that really worries me, and it's what many sysadmins on Reddit and Hacker News are talking about: the persistence mechanisms. This wasn't a smash-and-grab. The attackers set up shop.

  • SSH Key Injection: They appended their `ed25519` public keys to `/root/.ssh/authorized_keys`. This means they can just SSH back in as root whenever they want.
  • Hidden SUID Binary: A 964 KB ELF binary was dropped at `/usr/bin/.system_cache` with the Set-User-ID bit. This lets a low-privilege user execute it with root privileges. It's a backdoor that's hard to spot.
  • Cron Job C2 Beacons: Daily callback scripts were set up at `/etc/cron.daily/cpanel_sync`. These are command-and-control beacons, ensuring persistent communication.
  • Bashrc Execution Hooks: Malicious droppers were appended to `/root/.bashrc`, meaning every time root logs in, the attacker's code runs.

This multi-layered persistence means that simply patching the cPanel flaw isn't enough. If you just patch, you're closing the front door while the attackers still have multiple backdoors, side windows, and a secret tunnel. Many users rely on their hosting providers for patching, but if those providers aren't also sterilizing these persistence mechanisms, the systems are still compromised. This is why some are advocating for complete system sterilization, a full rebuild, which is a massive undertaking.

This incident also highlights a worrying trend: financially motivated ransomware groups are now weaponizing zero-days at a scale previously associated with nation-state actors. The exploitation of this cPanel flaw is a prime example. About opportunistic scanning anymore is about sophisticated initial access.

What We Do Now

The CISA directive on April 30, adding CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, and the May 3 deadline for federal agencies, shows how serious this cPanel flaw is. For cPanel administrators, the path forward is clear, but it's not easy.

  1. Immediate Containment: Block external access to TCP ports 2083 (cPanel) and 2087 (WHM) at your firewall. This is a non-negotiable first step to cut off active exploitation of the cPanel flaw.
  2. Sterilize Persistence: You have to hunt down and remove every single backdoor.
    • Audit `/root/.ssh/authorized_keys` for any unfamiliar keys.
    • Find hidden SUID binaries with `find / -perm -4000 -type f`. Look for anything suspicious, especially in unexpected locations like `/usr/bin/.system_cache`.
    • Remove malicious cron jobs, particularly `/etc/cron.daily/cpanel_sync`.
    • Cleanse `/root/.bashrc` of any appended malicious droppers.
  3. Emergency Patching: Run `/scripts/upcp --force` to upgrade to safe versions (11.136.0.5 or later). This closes the initial vulnerability.
  4. Immutable Backups: If you don't have them, get them. Autonomous snapshot systems, like AWS FSx ONTAP’s ARP, are essential. If you get hit, you need a clean, uncorrupted restore point that the attackers can't touch.
Close-up of server rack lights, emphasizing the complexity of securing systems against the cPanel flaw

This incident makes it clear that relying on custom session handling in complex software like cPanel, rather than battle-tested, simpler solutions, can introduce significant risk. When a single cPanel flaw in a widely deployed platform gives root access, the blast radius is enormous. Hosting providers, in particular, need to re-evaluate their security posture. They are the new soft underbelly of the internet, and this "Sorry" ransomware attack proves it. We need systemic architectural improvements, not just reactive patching, to truly secure these environments against future cPanel flaws.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.