← CIO Briefings · Critical Impact ACTION REQUIRED

'Sorry' Ransomware Mass-Exploits Patched Web Server Vulnerability — 44,000 Servers Compromised in 48 Hours

A ransomware group called 'Sorry' has compromised at least 44,000 web hosting servers globally by exploiting a recently-patched critical vulnerability in cPanel/WHM web server management software. The attack began within hours of the official patch release, encrypting customer websites, databases, and email systems. Organisations running cPanel should confirm patch status immediately — unpatched servers face near-certain compromise.

3 min read

What Happened

A vulnerability in cPanel/WHM — software used to manage websites and web hosting servers — was patched on 30 April 2026. Within 48 hours, a ransomware group called ‘Sorry’ began exploiting unpatched servers at industrial scale, using an automated attack that requires no password or authentication to gain full control. The Shadowserver Foundation has confirmed at least 44,000 servers compromised globally. The ransomware encrypts all website files, customer databases, and email data stored on the server, and specifically targets backup software to prevent recovery.

cPanel/WHM is installed on an estimated 1.5 million web servers worldwide. A single compromised cPanel server may host hundreds of individual customer websites, multiplying the downstream business impact well beyond the server count.

Business Impact

For organisations that self-host websites on cPanel/WHM: Any server not yet patched is vulnerable to complete takeover with no user interaction or credentials required. Ransomware encryption of website files, customer databases, and email storage results in complete service outage for all hosted customers. Recovery requires verified, isolated backups — any backup stored on the compromised server is likely also encrypted.

For businesses whose websites are hosted by third-party providers using cPanel: The risk depends on whether your hosting provider has applied the patch. Unpatched hosting provider servers have been compromised, taking down all hosted customer websites simultaneously. Businesses relying on hosting providers for ecommerce, customer portals, or communications infrastructure should confirm their provider’s patch status.

Ransom demands from confirmed victim reports range from $5,000 to $50,000 per server, with no guarantee of decryption — the attack pattern includes evidence of deliberate backup destruction before encryption, consistent with no-recovery extortion.

Board-Ready Summary

  • A critical vulnerability in web server management software is being actively exploited by a ransomware group at mass scale — 44,000 servers compromised in 48 hours, with attacks ongoing
  • Unpatched servers face near-certain compromise; a successful attack results in complete loss of all hosted websites, databases, and email — backups on the same server are also destroyed
  • The board should authorise emergency confirmation of cPanel patch status today, and if hosting is provided by a third party, direct the team to contact the provider for written confirmation of patch deployment

  1. Immediate (today): If your organisation operates any cPanel/WHM servers, direct your IT/hosting team to confirm the installed version and apply the security patch immediately: LTS 120.0.24, Stable 122.0.16, or Current 124.0.6. cPanel’s auto-update feature should have applied this automatically — but confirm it has.

  2. Immediate (today): If your websites are hosted by a third-party provider, contact your provider and request written confirmation that CVE-2026-41940 has been patched on all servers hosting your infrastructure. Do not assume provider patch status without confirmation.

  3. Verify backup integrity: Confirm that at least one complete website and database backup exists in a location separate from the cPanel server (off-site cloud storage, separate backup service, or local archive). Backups stored on the same server as your website are encrypted in an attack.

  4. Check for compromise indicators: Look for any website outages, unusual file changes, or error messages from your hosting environment in the past 72 hours. Contact your hosting team immediately if any anomalies are observed.

  5. Incident response readiness: Brief your IT and communications teams on the scenario where websites hosted on cPanel are taken offline by ransomware. Identify which business functions depend on hosted websites, what the acceptable recovery timeline is, and what customer/stakeholder communication would be required if services are unavailable.