CVE Watch · Last verified 2026-05-15

Patched cPanel CVE-2026-41940? You may still be compromised.

44,000 IPs already compromised. 7,135 hit by .sorry ransomware. A persistent backdoor (Mr_Rot13 / Filemanager) survives the patch. cPanel shipped a SECOND emergency patch on May 8. Verify your server in 5 minutes using the cPanel-official IOC script — no scanning, no credentials shared.

Run the 5-minute self-check See the 4 help paths

Verified facts (sources at the bottom)

CVE-2026-41940 — pre-authentication CRLF injection in cPanel & WHM session handling, leading to authenticated-as-root access. CVSS 9.8 (Critical).
Zero-day window: in-the-wild exploitation since 2026-02-23, roughly two months before the patch.
Patch released 2026-04-28, ~28 hours after vendor confirmation.
Compromise scale: at least 44,000 IP addresses on Shadowserver Foundation honeypot lists as of 2026-04-30.
Ransomware: Censys identified 8,859 hosts with .sorry-extension files; 7,135 are confirmed cPanel/WHM.
Persistent backdoor: the Mr_Rot13 group deploys a Go-based Filemanager backdoor with bcrypt-protected web GUI; XLab rates detection rate as "extremely low".
Active exploitation continues per Censys/Shadowserver telemetry. CISA KEV listing remains active.
Second emergency patch on 2026-05-08: CVE-2026-29201, 29202, 29203. Two emergency Technical Security Releases inside ten days.

Why patching alone is not enough

cPanel's official remediation tooling has driven their measured patch coverage above 98% of servers in the auto-update channel. That is genuinely impressive vendor incident response, but it is not the full picture for an individual server operator. Three independent reasons:

The patch fixes the bug, not the breach. If your server was reachable on ports 2083 or 2087 between 2026-02-23 and the day your update applied, an attacker may have already deployed the Filemanager backdoor, dropped SSH keys, planted cron jobs, or exfiltrated bash history, database passwords, and cPanel mail-forwarding configurations. Updating cPanel removes the entry door but does not remove an attacker who is already inside.
Manual-update tiers and end-of-life environments are slower. CL6/C6, very old branches, and manually-managed fleets receive the patch via a different path. Those servers are over-represented among the 44,000 compromised IPs.
The CVE pipeline is hot. A second emergency Technical Security Release on 2026-05-08 covered three more critical CVEs (29201, 29202, 29203). A control-panel platform that ships two emergency TSRs inside ten days is a platform whose attack surface deserves continuous monitoring, not a one-time patch.

Free resources

5-minute self-check guide — full walkthrough: patch verification, IOC scan, .sorry file check, Filemanager backdoor hunt
cPanel official IOC detection script — vendor-provided indicator-of-compromise scanner
Open-source 12-check detector — Bash script: patch status, .sorry files, Mr_Rot13 backdoor, cron jobs, SSH keys, and more

Need help fixing this vulnerability?

Professional remediation by the same team that tracks these threats.

$49 Quick Patch Call 30-min screenshare, we patch together

$99 Compromise Check IOC scan + backdoor hunt + report

$199 Full Security Audit Config review + hardening + written report

$299–$999 Incident Response Full cleanup, forensics, and recovery

Request CVE repair

Want CVE alerts in your inbox?

Ping7 runs a public CVE early-warning radar that filters NVD and CISA KEV for vulnerabilities relevant to web hosting, WordPress, and the rest of the small-site stack. One email per Critical CVE that affects shared hosting. No spam, no partner sales.

Subscribe (or just bookmark this page)

References

Ping7 is not affiliated with cPanel L.L.C., WebPros, or any hosting provider mentioned. All trademarks belong to their owners. This page references public CVE data only and does not include proof-of-concept code, exploitation steps, or any information that goes beyond public advisories.