What Happened
CVE-2026-41940, a critical authentication bypass in cPanel and WebHost Manager (WHM) with a CVSS score of 9.8, has moved well beyond opportunistic exploitation. As of May 4, 2026, at least two distinct threat actor groups are actively weaponizing the flaw.
The first campaign is ransomware-focused. Attackers exploit the CRLF injection vulnerability in cPanel’s login and session loading process to insert arbitrary session properties — including user=root — giving unauthenticated attackers full administrative control. Once inside, they deploy a Go-based Linux encryptor that appends the .sorry extension to files and drops a ransom note directing victims to a Tox chat handle. Internet scanner Censys has identified 8,859 hosts exposing open directories with filenames ending in .sorry, and Shadowserver now reports at least 44,000 compromised IP addresses running cPanel or WHM. The vulnerability was exploited as a zero-day for more than two months before a patch was released on April 29, 2026.
The second campaign, documented by Ctrl-Alt-Intel on May 2, 2026, is espionage-oriented. Researchers identified attacker staging infrastructure actively used against government and military entities in Southeast Asia, alongside a distinct cluster of managed service providers and hosting providers in Canada, the Philippines, Laos, South Africa, and the United States. This campaign does not deploy ransomware — it focuses on persistent access and data collection.
Why This Matters for Canadian Organizations
Canada is explicitly named as a target in the Ctrl-Alt-Intel espionage campaign. Canadian MSPs and web hosting providers running cPanel represent an attractive target: compromising one MSP gives attackers access to the infrastructure of every downstream client. This mirrors the attack pattern seen in earlier campaigns against Canadian hosting infrastructure and multiplies the downstream blast radius significantly.
cPanel is the dominant web hosting control panel in Canada’s shared hosting market. Municipal websites, university portals, small business e-commerce platforms, and community organizations frequently rely on cPanel-based hosting. A successful authentication bypass on a hosting provider’s WHM gives an attacker root-level access to every hosted account — including stored credentials, databases, and email archives subject to PIPEDA obligations.
For Canadian organizations with data hosted on cPanel-based infrastructure operated by a third party, PIPEDA’s accountability principle requires organizations to confirm their service providers have applied this patch. If a hosting provider cannot confirm remediation, you face material breach notification risk if customer data is subsequently exfiltrated.
What to Do
If you run cPanel or WHM, update immediately to the patched version. Patches are available for all supported cPanel branches as of April 29, 2026. Review WHM session logs for anomalous root session creation events, particularly originating from unexpected IP addresses. Check for the presence of .sorry extension files across hosted accounts. If you are a customer of a shared hosting provider, contact your provider to confirm patch status.
Canadian MSPs should audit their own cPanel infrastructure and extend that audit to any downstream clients running cPanel-based hosting. If you suspect compromise, assume full root-level access was obtained and treat the recovery as a full server rebuild.
For further technical detail, see the original disclosures from BleepingComputer, The Hacker News, and Help Net Security.
