cPanel's 7,135 Confirmed Ransomware Victims Sit Inside MSPs Procurement Treats as Commodity Hosting
The headline number for CVE-2026-41940 is roughly 1.5 million internet-exposed cPanel and WHM instances, with cPanel managing about 70 million domains and holding 22 to 23 percent of the commercial control-panel market. The number that matters more for procurement is 7,135: confirmed ransomware victims identified by Censys on May 1 running cPanel or WHM behind open directories full of .sorry-extension files. Those 7,135 hosts are not Fortune 500 web properties. They are small managed service providers, hosting resellers, and regional shops that procurement teams routinely classify as commodity infrastructure and exclude from third-party security reviews, the same population I covered in the case for treating small businesses as primary targets rather than collateral damage.
That classification is the procurement failure this incident exposes. The CVE itself is a textbook authentication bypass, but the timeline tells a different story: upstream operators knew about active exploitation roughly two months before the rest of the market, and the providers who ingested that intel fastest are the ones whose customers escaped.
February 23: Silent Zero-Day Exploitation Begins
Active exploitation of the cPanel/WHM authentication bypass began on or around February 23, 2026, more than two months before the patch landed. The vulnerability is a CRLF injection in cPanel session files chained across three weaknesses documented by watchTowr Labs: a missing <ob> segment in the session cookie that disables encryption (passwords are stored unencrypted in session files); a set_pass() routine that strips only NUL bytes, allowing \r\n injection; and a cache promotion path through Modify::new() and Modify::save() that reads the raw session file and lifts injected lines into the JSON cache as top-level keys. The patch added a filter_sessiondata() routine that strips \r\n=\, characters, and the bug affects every cPanel and WHM version after 11.40.
During this two-month window, the attackers worked quietly enough that no public CVE existed and no advisory had been issued. The exploitation surfaced first in the telemetry of providers paying close attention to their own access logs.
April 28: Patch Ships, Two Tiers Diverge
cPanel released patches on April 28, 2026, spanning versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, and the CVE was assigned the next day with a CVSS v3.1 of 9.8. The disclosure pattern that followed is the part procurement teams should study.
Several large hosting providers, including Namecheap, KnownHost, HostPapa, and InMotion, preemptively blocked TCP ports 2083, 2087, 2095, and 2096 across their fleets before the public CVE existed. KnownHost CEO Daniel Pearson told Help Net Security that his team "immediately began blocking WHM/cPanel login ports across the KnownHost network" after observing exploit attempts that "amounted to 'let me see if this works'." Singapore's Cyber Security Agency followed with a government-level advisory. Smaller providers and resellers, who are the long tail of the cPanel install base, did not have the same intel feeds or the same operational discipline; their customers' control panels remained exposed while exploitation accelerated.
This is the two-tier disclosure pattern that recurs across infrastructure incidents. I covered a similar dynamic in Adobe's December 2025 patch-then-downgrade sequence, where the timing of disclosure shaped which customers had a chance to act. The cPanel version is more consequential because the affected operators sit one layer below the brands procurement actually reviews.
May 1: Mass Exploitation Surge
The surge began on May 1, 2026, when over 15,000 cPanel hosts were newly classified malicious in a single day, accounting for roughly 80 percent of GreyNoise's total daily increase. Shadowserver counted 44,000 unique scanning IPs on April 30, with 3,540 still active on May 3. Censys further reported the malicious cPanel hosts concentrated on a handful of VPS providers: 1,043 on DigitalOcean, 716 on Contabo, 501 on OVH, 391 on Vultr, and 321 on Oracle.
By May 4, three distinct threat clusters had been identified inside the compromised population. The first is "Sorry" ransomware, a Go-Lang Linux encryptor that writes .sorry extensions and demands 0.1 BTC paid through Tox messenger. The second is a Mirai variant called nuclear.x86, which creates admin accounts, disables security logs, modifies firewall rules, and deploys cryptominers and DDoS clients. The third is an unattributed Southeast Asian espionage cluster running AdaptixC2 with OpenVPN and Ligolo for persistence; its targets include *.mil.ph, *.gov.la, an Indonesian defense training portal, and a confirmed victim list spanning MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States.
The 7,135 confirmed-compromise hosts are the ransomware count alone. The Mirai and espionage populations sit on top of that number, and the espionage cluster's MSP targeting is the part that should change how procurement teams scope third-party reviews.
What This Means for Third-Party Review
Procurement teams treat hosting and managed services as commodity layers. The vendor questionnaire asks about SOC 2 reports and uptime SLAs; it rarely asks how the provider learns about active exploitation of the software stack their customers depend on. The cPanel timeline shows a 60-day gap between when upstream operators knew exploitation was happening and when the broader population learned about it. Customers of the providers who blocked the ports on April 28 had a different experience from customers of providers who waited for the public CVE.
The structural failure mode is the same one I traced in the Vercel/Context AI breach: a fourth-party sitting one layer below the row procurement actually inventories. There, it was an AI productivity tool an employee self-provisioned. Here, it is a control-panel vendor whose patches reach customers through a reseller chain that nobody downstream has fully mapped.
This pattern is not specific to cPanel. I covered a structurally similar dynamic in Fortinet's fifth-zero-day patch treadmill, where the cadence of vendor disclosure outpaced customers' ability to act, and again in the ChipSoft ransomware case, where vendor concentration in commodity infrastructure created a regulator-blind systemic exposure. Hosting and control-panel software is the same structural class: a commodity layer where concentration risk and intel-ingestion speed are not visible from the buyer's vantage.
The diligence question to add to your next vendor review is concrete: what is your hosting provider's mean time to ingest threat intel from upstream, and what is the artifact that proves it? KnownHost can name the day they blocked ports 2083, 2087, 2095, and 2096 across their network. Procurement teams should be asking every hosting and MSP vendor for the equivalent timestamp on the next zero-day, and treating the absence of that artifact as a finding rather than a paperwork gap.
