The cPanel Situation Is…

CVE-2026-41940, a critical pre-authentication bypass in cPanel/WHM disclosed April 29, 2026, was rapidly weaponized: Censys observed a May 1 surge where ~80% of newly malicious hosts were running cPanel, and two clearly distinct campaigns emerged—one deploying Mirai-like malware post-compromise and another ransomware campaign that encrypted files and appended a ".sorry" extension, with thousands of affected cPanel hosts exposing encrypted files via open directories.