RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: whm (3 articles)Clear
vulnerability
CVE-2026-29201CVE-2026-29202CVE-2026-29203
2026-05-09

cPanel patches three new flaws including two that let authenticated users run arbitrary Perl code on the server - on top of the active 'Sorry' ransomware wave still hitting unpatched systems

cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.

cpanelwhmauthenticated-rceperl-code-executionsymlinkprivilege-escalationsorry-ransomware-contextcompounding-patchescvss-8-8
Check
Inventory cPanel and WHM versions. Check whether any servers are still on builds before the May 9 release. Search authentication logs for use of the create_user API or feature::LOADFEATUREFILE adminbin call by accounts that don't normally use them.
Affected
cPanel and WHM versions before 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43. Legacy CentOS 6 and CloudLinux 6 customers must patch to 110.0.114. The CVSS 8.8 flaws require authentication, so internet-facing cPanel servers with weak password policies face acute risk.
Fix
Patch cPanel to a fixed version per the May 9 advisory. Apply the new patches alongside the existing CVE-2026-41940 (Sorry ransomware) fix. Tighten cPanel user account password policies and enforce 2FA for any account with API access. Restrict cPanel ports (2082-2087, 2095-2096) to trusted IPs to limit pre-auth attack surface.
threat
CVE-2026-41940
2026-05-02

Hackers are mass-encrypting websites by exploiting last week's cPanel flaw - 44,000 servers compromised so far in 'Sorry' ransomware attacks

Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.

cpanelwhmsorry-ransomwaremass-exploitationfollow-upshadowserver44k-compromisedgo-encryptorchacha20
Check
If you run any cPanel or WHM server and have not yet patched, treat the server as already compromised - patch immediately, then start incident response rather than just resuming operations.
Affected
All cPanel and WHM versions before the April 28 emergency patch. ~1.5 million internet-exposed cPanel instances per Shodan, with 44,000 confirmed compromised. Hosting providers, web agencies, e-commerce sites on shared hosting, and any small business website on cPanel are in scope. Anyone whose cPanel was internet-reachable between February 23 and April 28 should assume compromise even if they patched promptly.
Fix
Patch cPanel to a fixed version. After patching, hunt for indicators of compromise (Sorry's '.sorry' file extension, unfamiliar admin sessions, cron entries pointing to /tmp/, modified /var/cpanel/sessions/raw/ files). Restore from clean backups predating February 23 if possible. Block cPanel ports (2082-2087, 2095-2096) at the firewall to non-trusted IPs. Rotate every credential the cPanel host had access to.
vulnerability
CVE-2026-41940
2026-04-28

All cPanel and WHM versions had a critical authentication bypass that attackers may have been exploiting since February - emergency patches now released (CVE-2026-41940)

cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.

cpanelwhmauthentication-bypasscrlf-injectionwatchtowractively-exploitedemergency-patchwebhostnamecheap
Check
If you run any cPanel or WHM server, confirm it's patched to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 today.
Affected
All cPanel and WHM versions before the April 28 emergency patch, plus end-of-life versions. CVE-2026-41940, CVSS 9.8. Successful exploitation grants root-equivalent access on the server, exposing every hosted website, database, email account, and customer data. KnownHost reports possible exploitation since February 23, 2026.
Fix
Run '/scripts/upcp --force' to pull the latest patched cPanel build immediately. Audit authentication logs for unusual successful logins between February 23 and April 28 - any login from an unfamiliar IP during that window may indicate prior compromise. Block cPanel ports (2082-2087, 2095-2096, 2077-2078) at the firewall to non-trusted IP ranges.