A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels. WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February. Internet security watchdog Shadowserver now reports that at least 44,000 IP addresses running cPanel have since been compromised in ongoing attacks. Numerous sources told BleepingComputer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go-based Linux encryptor for the "Sorry" ransomware [VirusTotal]. There have been numerous reports of websites impacted by the attacks, including on the BleepingComputer forums, where a victim shared samples of the encrypted files and the contents of the ransom note. Since then, widespread exploitation and ransomware attacks have been spotted, with hundreds of compromised sites already indexed in Google.