A Vulnerability in WHM cPanel and WP Squared Could Allow for Remote Code Execution

Active exploitation of CVE-2026-41940 against internet-exposed cPanel/WHM has been observed; the exploit requires only a few unauthenticated HTTP requests to gain full WHM API access and root-level RCE. Exploitation began months before an emergency patch, accelerated after public disclosure, and has led to large-scale scanning (reported 44,000 IPs), deployment of a Go-based 'Sorry' ransomware encryptor, Mirai botnet installations, credential harvesting, and targeted cyber espionage in Southeast Asia.