cPanel/WHM: 4000 instances in Germany already attacked
Patch now! Attackers worldwide are exploiting a critical security vulnerability in cPanel/WHM. Security updates are available.
(Image: solarseven/Shutterstock.com)
The Sorry ransomware group is currently targeting cPanel and WebHost Manager (WHM) instances. According to security researchers, there have already been more than 44,000 successful attacks worldwide. Admins must install the security patches immediately.
Background
The Shadowserver Foundation is warning about the ongoing attacks on X. According to its statistics, more than 4,000 instances of the server and website management software have already been affected in Germany. The “critical” vulnerability (CVE-2026-41940) has been known since the end of last week. The US Cybersecurity & Infrastructure Security Agency (CISA) is also warning of attacks and is ordering the swift installation of security updates for US authorities.
If attackers successfully exploit the vulnerability, they can bypass authentication and gain access to systems. How the attacks proceed in detail is currently unclear. Once attackers have gained access to computers, they deploy the Sorry ransomware, which encrypts data and demands a ransom.
Videos by heise
Victims of the encryption trojan are exchanging information in the forum of the IT news website Bleepingcomputer.com. Currently, there is no way to decrypt the data.
Update now!
In a warning message, the cPanel developers offer not only the patched versions but also a script that admins can use to identify already attacked instances. It also contains further security tips on how admins can most effectively counter the attacks. These cPanel versions are protected against the currently ongoing attacks:
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.136.0.5
- 11.134.0.20
- WP Squared version 136.1.7
(des)
