TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Help Net Security

Multiple threat actors actively exploit cPanel vulnerability (CVE-2026-41940)

Zeljka Zorz · 1 day ago · Read original ↗

ATT&CK techniques detected

3 predictions
T1190Exploit Public-Facing Application
97%
“multiple threat actors actively exploit cpanel vulnerability ( cve - 2026 - 41940 ) multiple threat actors actively exploit cpanel vulnerability ( cve - 2026 - 41940 ) the situation around the critical cpanel authentication bypass vulnerability ( cve - 2026 - 41940 ) has deterior…”
T1486Data Encrypted for Impact
97%
“##ies where filenames end in “. sorry, ” with 7, 135 of those identified as running cpanel or whm, which is strong evidence of large - scale automated exploitation. the encrypted files being exposed in those open directories follow a consistent pattern across victims, with common…”
T1190Exploit Public-Facing Application
81%
“ssh keys, hidden cron jobs, leftover api tokens, sudoers backdoors, and an unfiltered control - plane port. ” still, they noted, if indicators of compromise are present, rebuilding from clean backups is the safest path. nation - state targeting this advice might be enough for use…”

Summary

The situation around the critical cPanel authentication bypass vulnerability (CVE-2026-41940) has deteriorated significantly since our initial coverage. Exploratory probing has evolved into multi-actor exploitation, leading to disrupted websites, ransomware and malware deployment, and targeted attacks. “Sorry” ransomware Attackers have taken advantage of CVE-2026-41940 to mass-exploit vulnerable internet-facing cPanel instances to breach servers, deface websites and encrypt data. The ransomware used in some of the attacks is a Go(Lang)-based Linux encryptor that encrypts files and appends … More

The post Multiple threat actors actively exploit cPanel vulnerability (CVE-2026-41940) appeared first on Help Net Security.