Sorry Ransomware Sweeps cPanel Hosts: 7,135 Servers Encrypted, Censys Says cPanel Is 80% of New Malicious IPs Today

Introduction

The fallout from cPanel's CVE-2026-41940 authentication bypass has metastasised from "lots of scanning" into one of the largest hosting-tier ransomware events of the year. Telemetry from Shadowserver and Censys puts the count of compromised cPanel hosts at roughly 44,000 at peak, with at least 7,135 confirmed to be carrying the Go-based Sorry ransomware that appends a .sorry extension to encrypted files. Censys's most recent snapshot — captured today, May 10 — flags cPanel infrastructure as 80% of 19,000 newly-detected malicious hosts on its scan, against a normal-day baseline of roughly 100. Mirai botnet variants and the AdaptixC2 post-exploitation framework are also being dropped on the same boxes.

What Happened

CVE-2026-41940 — patched by cPanel on April 28 — let any unauthenticated attacker present a malformed whostmgrsession cookie and reach WHM as an administrator. KnownHost's data shows real exploitation traffic going back to February 23, so the bug was in the wild as a zero-day for about 64 days before the fix landed. Public proof-of-concept code went live on May 2, and ransomware deployment began within 24 hours of that release.

Three distinct payload families are riding on the same intrusion vector. First and most disruptive is Sorry: a Go-built Linux encryptor that walks /home, /var, and webroots, encrypting customer data and renaming files with a .sorry suffix. Daily Security Review and JustAppSec both confirm 7,135 servers with active Sorry deployments at last count, against a backdrop of roughly 70 million websites hosted on the broader compromised-IP pool. Second, attackers are dropping Mirai variants to enlist the boxes into DDoS-for-hire infrastructure even where they did not encrypt — a hosting-tier server with thousands of customer FQDNs is high-quality bandwidth. Third, AdaptixC2 (the same open-source framework Tropic Trooper was using last month) is being installed for persistent C2 access on the higher-value targets.

Shadowserver's compromised-IP count peaked at 44,000 on April 30, then fell to about 3,540 by May 3 as patching rolled. The fact that Censys is now seeing 19,000 newly-malicious hosts in a single day with cPanel responsible for 80% of them tells you the unpatched tail is not just "still vulnerable" — it has now been operationalised as a delivery network. cPanel released a second emergency patch round on May 8 covering CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 (privilege escalation, code execution, and DoS in WHM adminbin handlers respectively); those are unrelated to the auth-bypass story but are good evidence that the cPanel codebase is currently under heavy hostile attention.

Why It Matters

A single compromised cPanel server carries hundreds to thousands of independent customer accounts — websites, mailboxes, MySQL databases, customer FTP credentials. The Sorry ransomware does not need to discriminate. When it walks the host, it encrypts every customer's data on a single shared physical box, which converts one box's missing patch into a multi-tenant outage that the customers themselves cannot fix. The hosting provider gets the support load; the customers' businesses get the downtime; the attacker only had to win once.

The Censys reading — cPanel as 80% of new malicious hosts in a day — is also a stark statement about how fast a patched bug becomes a mass-exploitation tool when the code is shared infrastructure. Anyone running cPanel anywhere on the internet whose update tier is currently stuck (CloudLinux 6 hosts have a different package path; older builds need manual upcp runs) is, at this moment, a higher-probability ransomware target than at any point in the last twelve months.

Who Is Affected

  • All cPanel and WHM hosts that have not yet installed the April 28 fix for CVE-2026-41940 — and now also the May 8 fixes for CVE-2026-29201 / 29202 / 29203.
  • Hosting providers and MSPs whose cPanel servers run on the same shared boxes — a single compromised host translates to a multi-tenant ransomware event.
  • Customers whose websites, mailboxes, MySQL databases, and home directories live under a /home/<user>/ path on a still-vulnerable cPanel server, regardless of whether they themselves are aware of the vulnerability.
  • Indirectly, any organisation whose web presence depends on a small hosting partner — even if your own cloud and SaaS stack is patched, your supplier's marketing site living on a friend-of-a-friend cPanel box is now a credible incident vector.

How to Protect Yourself

The first job is to confirm patches are actually installed and running, not just downloaded. cPanel's update tiers can leave a "fixed" build sitting un-applied if the staged-release schedule is set conservatively:

# confirm running version and tier
/usr/local/cpanel/cpanel -V
cat /var/cpanel/cpanel.config | grep -E '^update_log_analysis|^updateversion|^update_release_tier'

# force the upgrade now, ignoring the staged schedule
/scripts/upcp --force

# verify the post-upgrade version maps to the CVE-2026-41940 fix on your tier
# also confirm the May 8 fixes for CVE-2026-29201/29202/29203 are present
/usr/local/cpanel/cpanel -V

Hunt for Sorry, Mirai, and AdaptixC2 before you assume the patch is enough. The Sorry encrypter is loud — .sorry files appearing under /home is the canonical IoC:

# files newly suffixed .sorry
find /home -type f -name '*.sorry' -printf '%TY-%Tm-%Td %p\n' 2>/dev/null | head -50

# ransom notes commonly land as README, READ_ME, or HOW-TO-DECRYPT
find / -xdev -type f \( -iname 'README*.txt' -o -iname 'HOW-TO-DECRYPT*' -o -iname 'README*.html' \) -mtime -30 2>/dev/null

# Mirai-style processes typically run from /tmp or /var/tmp under random names
ps -ef | awk '$NF ~ /\/(tmp|var\/tmp|dev\/shm)\// {print}'
ls -la /tmp /var/tmp /dev/shm 2>/dev/null | awk '$5 > 50000 && $9 ~ /^[a-zA-Z0-9]{3,8}$/'

# AdaptixC2 beacons commonly resolve to GitHub Issues or short-lived CDN domains
ss -ntp state established | grep -iE 'github|cloudfront|fastly' | grep -v ':22\b\|:443\b.*nginx'

Look for the auth-bypass forensic trail in cpsrvd access logs. The PoC strips a segment from whostmgrsession, so requests with truncated session strings are the highest-confidence signal:

zgrep -E 'whostmgrsession=[^.;]+;' /usr/local/cpanel/logs/access_log* \
  | awk '{print $1, $4, $7}' | sort | uniq -c | sort -rn | head -50

# successful WHM admin logins from anywhere outside your admin VLAN since Feb 23
awk '$0 ~ /WHM Login Successful/ && $0 !~ /10\./ && $0 !~ /192\.168\./ {print}' \
  /usr/local/cpanel/logs/login_log

# unexpected new resellers or admin-tier accounts
/scripts/whoowns -all | sort -u
grep -E '^(admin|wheel|cpanel)' /etc/passwd

If anything on the hunt list lights up, do not just clean and patch. The right move is to treat the box as totalled: image disk and memory, copy off legitimate customer data into known-clean restoration targets, then reimage from the OS up. Ransomware crews that drop AdaptixC2 alongside the encrypter are not looking for one-shot extortion; they are leaving a way back in.

For hosting providers in particular, this is the moment to make sure you are reading the daily Shadowserver Compromised-cPanel feed and a Censys scan of your own ASN. Both are free, both will tell you about a problem before customer support does:

# Shadowserver — register your ASN/IP ranges at
#   https://www.shadowserver.org/what-we-do/network-reporting/
# the relevant feeds for this campaign:
#   - device-cpanel
#   - honeypot-http-scan  (catches the Sorry / Mirai droppers in pre-attack reconnaissance)

# Censys — hostname/asn search for your space, filtered to recent malicious flag
# https://search.censys.io/search?resource=hosts&q=autonomous_system.asn%3A%3CYOUR_ASN%3E+and+labels%3A%22malicious%22

If you operate cPanel servers that are not deliberately public-facing for customer login, put them behind a VPN or admin-VLAN ACL today. The internet does not need to be able to reach :2087 on every one of your hosts, and the difference between "exposed" and "not exposed" is currently the difference between "in the 19,000 newly-malicious hosts Censys saw today" and "not in that list."

Source