CVE-2026-41940 Exploit: 44,000 cPanel Servers Compromised Globally

The global web hosting ecosystem is currently reeling from what experts are calling a digital tsunami. On May 2, 2026, the Shadowserver Foundation and multiple threat intelligence agencies confirmed a massive, coordinated campaign targeting the heart of the internet’s infrastructure. The CVE-2026-41940 exploit has emerged as the primary weapon in this onslaught, a critical authentication bypass vulnerability that has already compromised more than 44,000 servers worldwide. With a CVSS score of 9.8, the flaw represents a “near-total” failure of the authentication gates for cPanel & WHM, the industry-standard control panels that manage an estimated 70 million domains globally.

The speed of this crisis is unprecedented. While the official security advisory and emergency patches were released by WebPros (the parent company of cPanel) on April 28, 2026, the subsequent release of public proof-of-concept (PoC) exploit code has acted as an accelerant. What began as targeted zero-day activity—allegedly traced back as far as February 2026—has evolved into a high-speed “smash and grab” operation. For server administrators, the clock is no longer ticking; it has already run out for tens of thousands of systems now being used to deploy the “Sorry” ransomware.

Deconstructing the CVE-2026-41940 Exploit: How It Works

To understand the severity of the CVE-2026-41940 exploit, one must look at the internal session-handling mechanisms of cpsrvd, the cPanel service daemon. The vulnerability is fundamentally a Carriage Return Line Feed (CRLF) injection flaw that resides in how cPanel processes HTTP Basic Authentication headers. Specifically, the system fails to sanitize the password field during the initial login handshake, allowing an unauthenticated attacker to inject raw \r\n characters into the server-side session store.

The Anatomy of the Session Bypass

When a user attempts to log in to cPanel or WHM (Web Host Manager), cpsrvd generates a temporary session file on the disk, typically located in /var/cpanel/sessions/raw/. This file is created even if the authentication attempt has not yet succeeded. By crafting a malicious Authorization: Basic header, an attacker can trick the server into writing arbitrary key-value pairs directly into this session file. Because cPanel’s session files are line-delimited text files, the injected CRLF sequences allow the attacker to append new lines that the system interprets as legitimate session attributes.

In a successful CVE-2026-41940 exploit chain, an attacker typically injects the following variables into their session:

• user=root: Assigns root privileges to the session.
• hasroot=1: Signals to the WHM interface that the user has administrative rights.
• tfa_verified=1: Bypasses mandatory Multi-Factor Authentication (MFA) requirements.
• successful_internal_auth_with_timestamp= [current_time]: Validates the session state internally.

The second stage of the exploit involves a clever manipulation of the whostmgrsession cookie. Researchers from watchTowr Labs discovered that by removing a specific comma-delimited segment of the session cookie (the obhex part), an attacker can prevent the server from re-encrypting or overwriting the injected plaintext data. When the server reloads the session from the disk to process the next request, it finds a “fully authenticated” root session waiting for it. The attacker gains total administrative control without ever having provided a valid username or password.

Global Impact: 44,000 Servers and Counting

The scale of the devastation recorded by the Shadowserver Foundation highlights the vulnerability of concentrated hosting infrastructure. According to telemetry data from May 2, 2026, at least 44,000 unique IP addresses have been confirmed as compromised. These systems are no longer merely victims; they have been conscripted into a massive botnet that is actively scanning the internet for more vulnerable cPanel instances. This “worm-like” propagation has caused the infection rates to spike exponentially within a 48-hour window.

The geographical distribution of the CVE-2026-41940 exploit reflects the regions with the highest density of cloud and VPS (Virtual Private Server) providers:

• United States: 15,200 compromised servers (Highest density in DigitalOcean and AWS regions).
• France: 4,300 compromised servers (Concentrated largely in OVHcloud infrastructure).
• Germany: 4,200 compromised servers (Impacted providers include Hetzner and Contabo).
• United Kingdom: 2,300 compromised servers.

For hosting providers, the impact is catastrophic. A single compromised WHM account at the “root” or “reseller” level allows an attacker to access every individual cPanel account on that physical or virtual server. This means that a single successful exploit can lead to the theft of databases, exfiltration of emails, and the defacement of thousands of websites hosted on the same node.

The Rise of “Sorry” Ransomware and “Nuclear.x86”

The threat actors behind the CVE-2026-41940 exploit are not merely interested in data theft; they are executing a high-velocity monetization strategy. The primary payload being observed in the wild is the “Sorry” ransomware. Unlike legacy ransomware strains, “Sorry” is a sophisticated, Go-based Linux encryptor designed specifically to target the directory structures common in cPanel environments.

The “Sorry” ransomware group typically operates within a 36 to 48-hour window following the initial breach. Once they achieve root access via the authentication bypass, they deploy a script that identifies all public_html directories, MySQL/MariaDB databases, and .maildir folders. The encryptor then uses AES-256 to lock the files, appending the .sorry extension and leaving a ransom note in every directory. Because the attackers have root access, they often disable local backup services (like cpbackup) and delete existing snapshots before commencing encryption, leaving victims with few options for recovery.

Secondary Payloads: The Mirai “Nuclear” Variant

While the “Sorry” group focuses on extortion, other threat actors are using the CVE-2026-41940 exploit to fuel a new generation of Distributed Denial of Service (DDoS) botnets. Security researchers have identified the deployment of a Mirai-based bot dubbed “nuclear.x86”. This malware is being dropped onto compromised cPanel servers to turn high-bandwidth hosting environments into attack nodes. By leveraging the superior network speeds of enterprise-grade data centers, the “Nuclear” botnet has already been used to launch record-breaking DDoS attacks against financial institutions and government portals in Europe.

Emergency Remediation and Detection Strategies

Given the critical nature of this vulnerability, cPanel has urged all administrators to move beyond automatic updates and manually verify their protection status. The CVE-2026-41940 exploit targets all supported versions of cPanel & WHM released after version 11.40, including WP Squared and cPanel DNSOnly.

Required Patching Versions

Administrators must ensure their systems are running at least the following versions or higher:

• 11.110.0.97 (Standard/Cloud)
• 11.118.0.63
• 11.136.0.5
• WP Squared: 136.1.7

To force an immediate update, administrators should execute the following command via SSH: /usr/local/cpanel/scripts/upcp. Following the update, it is mandatory to restart the cPanel service daemon using /scripts/restartsrv_cpsrvd to ensure that any active, hijacked sessions are purged from memory.

How to Detect a Compromised System

Since the exploit leaves specific markers in the system logs, forensic teams should audit the /usr/local/cpanel/logs/access_log and /var/cpanel/sessions/raw/ directories. Indicators of Compromise (IoCs) include:

1. Session Anomalies: Presence of session files containing both token_denied and cp_security_token simultaneously, specifically with a method=badpass origin.
2. Malformed Cookies: Access logs showing whostmgrsession cookies that are unusually short or missing the trailing comma-delimited hexadecimal string.
3. Injected Variables: Any session file in /var/cpanel/sessions/raw/ containing hasroot=1 or tfa_verified=1 for an IP address that has not successfully passed an authentication check.
4. New Root Users: Unexpected entries in /etc/shadow or new SSH keys in /root/.ssh/authorized_keys, as attackers often establish persistence immediately after the bypass.

The Infrastructure Risk: A Lesson in Concentration

The CVE-2026-41940 exploit is more than just a software bug; it is a stark reminder of the “single point of failure” risk inherent in modern web hosting. With cPanel controlling over 90% of the commercial hosting control panel market, a single vulnerability in its session-handling logic effectively puts a large percentage of the global web at risk. This concentration of power creates a “target-rich environment” where threat actors can achieve massive scale with minimal effort.

As the “Sorry” ransomware group continues its rampage, the industry is calling for a more decentralized approach to hosting security. Organizations are being advised to implement out-of-band monitoring and immutable backup solutions that sit outside the control of the hosting panel. For now, the priority remains survival: patch immediately, rotate all administrative credentials, and assume that any unpatched server exposed to the internet between April 29 and May 2, 2026, has already been touched by the CVE-2026-41940 exploit.