You are currently viewing The cPanel Crisis: One Bug, Millions Exposed as Mirai and ‘Sorry’ Ransomware Deploy in 24 Hours

The cPanel Crisis: One Bug, Millions Exposed as Mirai and ‘Sorry’ Ransomware Deploy in 24 Hours

  • Post author:
  • Reading time:3 mins read

Researchers have uncovered active exploitation of a critical vulnerability in cPanel & WHM (CVE-2026-41940), an authentication bypass flaw that has been abused as a zero-day following public disclosure. The vulnerability was rapidly weaponized within 24 hours, with multiple third parties leveraging it to deploy Mirai botnet variants and a ransomware strain known as “Sorry,” while attribution to a specific threat actor remains unknown.

This activity highlights a fast-moving exploitation landscape where publicly exposed hosting infrastructure is targeted immediately after disclosure, enabling attackers to gain unauthorized access, deploy malware, and monetize compromised systems through botnet operations and ransomware.

Background on Threat and Campaign

The campaign revolves around the rapid weaponization of a critical flaw in widely deployed hosting control panel software.

Attackers leveraged publicly available exploit code to scan for and compromise vulnerable cPanel & WHM instances exposed to the internet. Observations indicate a surge in scanning activity and exploitation attempts immediately following disclosure, demonstrating how quickly threat actors operationalize newly disclosed vulnerabilities.

Post-compromise activity includes deploying Mirai botnet variants to expand attacker-controlled infrastructure and launching ransomware attacks using the “Sorry” strain, indicating both propagation and monetization objectives.

The activity is not attributed to a single group, suggesting opportunistic exploitation by multiple actors leveraging the same vulnerability and PoC.

Vulnerability Details

CVE-2026-41940

  • Vulnerability: Authentication Bypass (Pre-Auth)
  • CVSS Score: 9.8 (Critical)
  • EPSS Score: 26.55 %
  • Affected Products: cPanel & WHM versions mentioned below
    • 11.40.0.0 < 11.86.0.41
    • 11.88.0.0 < 11.110.0.97
    • 11.112.0.0 < 11.118.0.63
    • 11.120.0.0 < 11.124.0.35
    • 11.125.0.0 < 11.126.0.54
    • 11.128.0.0 < 11.130.0.19
    • 11.132.0.0 < 11.132.0.29
    • 11.134.0.0 < 11.134.0.20
    • 11.136.0.0 < 11.136.0.5
  • Root Cause: Improper handling of crafted HTTP requests and session data allows attackers to bypass authentication mechanisms
  • Exploitation: Actively exploited as a zero-day with public PoC availability
  • Patch: The vulnerability is patched in versions 11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5 and higher

Tactics and Techniques

TA0001 Initial Access: Exploiting public-facing applications via T1190 (Exploit Public-Facing Application).

TA0003 Persistence: Establishing persistent access using techniques like T1505 (Server Software Component) with T1505.003 (Web Shell).

TA0007 – Discovery: Performing system and network discovery to understand the environment.

TA0008 Lateral Movement: Moving laterally within the network using T1021.002 (Remote Services: SMB/Windows Admin Shares).

TA0011 Command and Control: Using T1071.001 (Application Layer Protocol: Web Protocols) for command and control.

TA0010 Exfiltration: Exfiltrating data over the C2 channel using T1041 (Exfiltration Over C2 Channel).

Visual Attack Flow

[Attacker Scans Internet for Exposed cPanel Instances]
-> [Crafted HTTP Request Exploits CVE-2026-41940]
-> [Authentication Bypass Achieved]
-> [Unauthorized Access to WHM/cPanel]
-> [Payload Deployment]
-> [Mirai Botnet Infection OR “Sorry” Ransomware Execution]
-> [Compromised Server Used for Botnet Operations or Ransomware Impact]

Indicators of Compromise (IOCs)

Network Indicators

  • 95.111.250[.]175
  • delicate-dew.serveftp[.]com:4455

Malware / Impact Indicators

  • Mirai botnet variants deployed post-compromise
  • “Sorry” ransomware activity
  • Files encrypted with .sorry extension

Mitigation & Recommendations

Apply Security Updates Immediately:
Update cPanel & WHM installations to the latest patched versions to mitigate the vulnerability.

Restrict Access to Management Interfaces:
Limit exposure of cPanel services to trusted IP ranges or behind VPNs.

Monitor for Exploitation Attempts:
Inspect logs for suspicious or malformed HTTP requests and unauthorized authentication patterns.

Detect Malware Activity:
Monitor for Mirai-related traffic and ransomware indicators such as .sorry file extensions.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.