44,000 cPanel Servers Compromised: 5 Critical Vulnerabilities to Patch This Monday

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
44,000 servers running cPanel have been confirmed compromised in an active global campaign exploiting CVE-2026-41940, a CVSS 9.8 authentication bypass that requires no credentials and no user interaction. The Shadowserver Foundation documented 44,000 unique victim IP addresses by June 5, 2026, while approximately 1.5 million additional internet-exposed cPanel instances remain unpatched and open to the same attack.
CVE-2026-41940 is a carriage return line feed (CRLF) injection flaw in cPanel and WHM's session loading and login processes. Attackers inject newline characters into HTTP session cookies to embed arbitrary session variables, bypassing both password authentication and two-factor authentication. The flaw was exploited as a zero-day by multiple threat groups for 65 days before cPanel released a patch on April 28, 2026. Within 24 hours of public proof-of-concept code appearing, attackers deployed "Sorry" ransomware, a Go-based Linux encryptor using ChaCha20 encryption, and wiped server backups to prevent recovery.
This cPanel CVE-2026-41940 campaign is the most urgent story this Monday, but it arrives alongside four other critical threats requiring immediate action: CISA added SolarWinds Serv-U CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5 with a federal patch deadline of June 19; Google's June 2026 Android update addresses the actively exploited framework zero-day CVE-2025-48595; Rust-based IronWorm malware has infected 36 npm packages to steal developer API keys and cloud credentials; and Ghost CMS CVE-2026-26980 (CVSS 9.4) is driving a ClickFix campaign that has hijacked over 700 websites. Ranked and actioned below.
How Does the cPanel Authentication Bypass Attack Work?
CVE-2026-41940 is a carriage return line feed (CRLF) injection vulnerability in cPanel and WHM's session handling code. The attack requires no authentication: an attacker sends an HTTP login request containing a specially crafted cookie with embedded newline characters. When cPanel processes the cookie to load session state, it interprets the injected newlines as session file delimiters, allowing the attacker to inject arbitrary session variables, including variables that mark the session as authenticated.
The result is complete authentication bypass. The attacker gains access to the cPanel or WHM administrative interface as if they had supplied valid credentials, bypassing both password checks and any configured two-factor authentication. Public proof-of-concept code appeared within hours of the April 28 disclosure; mass exploitation began within 24 hours, and multiple independent threat groups including one with suspected state-sponsored links targeting Philippine and Laotian government domains were confirmed active.
Post-authentication, observed threat actors establish persistence through four mechanisms: injecting SSH public keys for persistent shell access, creating cron jobs for command-and-control callbacks, generating API tokens that survive password resets, and modifying the sudoers file for root-level privilege retention. In active compromises, "Sorry" ransomware, a Go-based Linux encryptor using ChaCha20-Poly1305 encryption with an RSA-2048 protected key, was deployed and backups were deleted to prevent recovery. Ransom contact uses the Tox messaging protocol.
Affected versions: cPanel and WHM prior to version 11.136.0.5 and WP Squared prior to version 136.1.7. The patch was released April 28, 2026. Verify your version by running /usr/local/cpanel/cpanel -V on the server.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Five Threats Ranked by Urgency for Monday Morning
Five critical vulnerabilities require action today, ranked by active exploitation severity and patch availability.
Rank 1, cPanel CVE-2026-41940 (CVSS 9.8): Active ransomware deployment confirmed, 44,000 victim servers documented, 1.5 million exposed instances remain unpatched, public PoC widely circulated. Patch to cPanel 11.136.0.5 before any other action. This is also the third confirmed cPanel-class attack in three weeks, see the LiteSpeed cPanel privilege escalation campaign from May 19 for context on how aggressively this attack surface is being targeted.
Rank 2, SolarWinds Serv-U CVE-2026-28318 (CVSS 7.5): CISA-confirmed active exploitation, federal patch deadline June 19, 2026 under BOD 22-01. Unauthenticated denial-of-service via crafted HTTP POST requests. Patch to Serv-U 15.5.4 Hotfix 1.
Rank 3, Android CVE-2025-48595: Google confirmed limited, targeted active exploitation in the June 2026 Android Security Bulletin. High-severity elevation-of-privilege in the Android Framework component. Affects Android 14 and later. Apply June 2026 security patches to all managed Android devices.
Rank 4, IronWorm npm Supply Chain: 36 npm packages compromised with Rust-based infostealer targeting developer API keys for AWS, OpenAI, Anthropic, and npm Publishing credentials. Self-propagating via stolen npm Trusted Publishing tokens. Audit postinstall scripts and rotate credentials.
Rank 5, Ghost CMS CVE-2026-26980 (CVSS 9.4): SQL injection actively exploited via ClickFix social engineering, 700+ websites compromised. Affects Ghost CMS versions 3.24 through 6.19. Patch to Ghost CMS 6.20 or later.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
SolarWinds Serv-U CVE-2026-28318: Federal Patch Deadline in 11 Days
SolarWinds Serv-U CVE-2026-28318 is an uncontrolled resource consumption vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on June 5, 2026. Federal Civilian Executive Branch agencies must remediate by June 19, 2026 under Binding Operational Directive 22-01. The CISA June 2026 patch mandate for PAN-OS and Defender issued earlier this cycle shows the agency is enforcing these deadlines, organizations should treat June 19 as the maximum acceptable exposure window, not a federal floor.
The attack requires no authentication. A remote attacker sends an HTTP POST request to the Serv-U service with the Content-Encoding: deflate header set. Serv-U processes the decompression instruction without adequate resource limits, consuming excessive memory and CPU until the service crashes. While classified as a denial-of-service rather than code execution, repeated exploitation disables audit logging and connection monitoring, creating windows for secondary data exfiltration operations.
SolarWinds released the fix, Serv-U 15.5.4 Hotfix 1, on June 3, 2026, two days before CISA's KEV addition. Organizations not yet on this release should update immediately from the SolarWinds customer portal. As an interim mitigation before the patch is applied, deploy a web application firewall rule blocking POST requests that include the Content-Encoding header on Serv-U-facing endpoints, and restrict Serv-U access to known IP ranges.
Detection: monitor Serv-U service logs for repeated crash events and unexpected service restarts. Windows Event ID 7034 (service terminated unexpectedly) on the Serv-U host is the primary host-level indicator. Review for anomalous POST requests with deflate-encoded bodies in web server access logs.
“CISA adds CVE-2026-28318 to KEV, federal agencies must remediate by June 19, 2026.”
CISA Known Exploited Vulnerabilities Catalog, June 5, 2026
Android CVE-2025-48595: Zero-Day in June's 124-Flaw Patch Cycle
Android CVE-2025-48595 is an elevation-of-privilege vulnerability in the Android Framework component that Google confirmed is being exploited in limited, targeted attacks. Google's June 2026 Android Security Bulletin, which addresses 124 total vulnerabilities including 18 rated Critical, identifies CVE-2025-48595 as the sole confirmed zero-day in this cycle.
The vulnerability affects Android 14 and later versions. Successful exploitation allows a local attacker to escalate privileges, enabling code execution at a higher privilege level than the attacker's initial foothold. While Google describes exploitation as limited and targeted, this classification historically indicates use by commercial surveillance vendors or nation-state actors against high-value individuals including journalists, activists, and executives. The June bulletin also includes a separate critical Framework flaw enabling remote escalation of privilege with no additional execution privileges required, organizations managing Android fleets should treat the full June patch cycle as urgent.
Google Pixel devices received the June 2026 security patches automatically. For Samsung, OnePlus, Motorola, Xiaomi, and other OEM Android hardware, security updates arrive on manufacturer-specific timelines that can lag Google's release by days to weeks. IT administrators managing Android device fleets via MDM should verify patch compliance status for all Android 14+ devices and flag unpatched devices immediately.
There is no available detection mechanism at the application layer for CVE-2025-48595 exploitation. Organizations managing sensitive data on Android devices should treat unpatched Android 14+ devices as a privilege escalation risk until the June security patch is confirmed applied.
IronWorm: Rust-Based Infostealer Infects 36 npm Packages
IronWorm is a Rust-based infostealer discovered on June 4, 2026 that infected 36 npm packages with a combined 32,000 monthly downloads. The attack originated from a compromised npm account named "asteroiddao," which published trojanized package versions containing a Rust binary executable triggered via a preinstall script. This approach bypasses npm's JavaScript-focused security scanning that typically flags obfuscated JavaScript source code in package files.
The malware hides behind an eBPF kernel rootkit and communicates with its operator over Tor, making network-layer detection unreliable. IronWorm targets 86 environment variables and 20 credential file paths, specifically harvesting API tokens for OpenAI, Anthropic, AWS, and npm Publishing, along with SSH private keys and Exodus cryptocurrency wallet files. Once credentials are exfiltrated, IronWorm self-propagates by using stolen npm Trusted Publishing tokens to push trojanized versions of packages owned by the compromised developer account, each new victim becomes a new distribution point.
A deliberate anti-forensics technique was applied to the malicious commits: the commit author appears as "claude" with timestamps backdated up to 13 years, making the malicious commits appear as historical maintenance activity during automated security scanning.
Developers and CI/CD pipelines are the target. Run npm audit immediately and verify whether any packages from the "asteroiddao" npm account are in your dependency tree. Rotate all API tokens accessible from development environments and CI pipelines regardless of whether a specific infected package was installed, IronWorm's target list means any exposed credentials in a dev environment are at risk.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Monday Morning Remediation: Seven Steps Before End of Business
Five vulnerabilities, seven concrete actions to complete before end of business today. Each step is ranked by the blast radius if skipped.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why cPanel CVE-2026-41940 Matters for Your Organization
The cPanel CVE-2026-41940 campaign illustrates what happens when a CVSS 9.8 zero-credential authentication bypass meets a 65-day exploitation window: the attack surface is proportional to the number of internet-exposed cPanel instances, not the sophistication of the attacker. Any organization running exposed cPanel or WHM on ports 2083 or 2087 was in scope. Shared hosting providers, web development agencies, and small-to-midsize businesses that treat cPanel as infrastructure rather than a security perimeter are the primary victims.
The "Sorry" ransomware deployment combined with deliberate backup deletion is designed to eliminate recovery paths. Organizations discovering compromise after encryption face complete data loss unless immutable offsite backups exist. This is the same pressure tactic observed in the LiteSpeed and cPanel privilege escalation campaign three weeks prior, multiple threat groups are systematically targeting the cPanel attack surface simultaneously, which means patching one CVE while leaving another unaddressed is not a safe posture.
The IronWorm supply chain dimension adds a second vector worth checking before assuming the server-side patch is sufficient. If developers or CI systems on compromised npm packages had cPanel credentials stored in environment variables, common in automated deployment workflows, those credentials may already be in attacker hands. Cross-reference your npm dependency inventory with your cPanel access control list.
The CISA June 19 deadline for SolarWinds Serv-U is a federal floor. For organizations outside the federal civilian enterprise, it marks the outer boundary of acceptable exposure, not a target remediation date. Apply all five patches in today's Intel Drop before end of business.
The bottom line
cPanel CVE-2026-41940 has compromised 44,000 servers worldwide through a zero-credential authentication bypass active for 65 days before patching, with 1.5 million instances still exposed. Three key takeaways: patch cPanel to 11.136.0.5 and inspect for .sorry-encrypted files and unauthorized SSH keys before anything else; remediate SolarWinds Serv-U before the CISA June 19 deadline; and audit npm dependencies for IronWorm-infected packages targeting your developer credentials. All five vulnerabilities in this Intel Drop have public proof-of-concept code and confirmed active exploitation in the wild.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-41940 in cPanel?
CVE-2026-41940 is a CVSS 9.8 authentication bypass vulnerability in cPanel and WHM caused by CRLF injection in the session loading process. Attackers embed newline characters in HTTP cookies to inject arbitrary session variables, gaining full administrative access without valid credentials. The flaw was exploited as a zero-day for 65 days before cPanel released a patch on April 28, 2026, and public proof-of-concept code triggered mass exploitation within 24 hours of disclosure.
How many servers were compromised by the cPanel authentication bypass?
The Shadowserver Foundation confirmed 44,000 unique server IP addresses were compromised in the cPanel CVE-2026-41940 campaign as of June 5, 2026. An additional 1.5 million internet-exposed cPanel instances remain unpatched. The United States leads with approximately 15,200 confirmed compromised hosts, followed by France with 4,300, Germany with 4,200, and the United Kingdom with 2,300.
Is there a patch for cPanel CVE-2026-41940?
Yes. cPanel released a patch on April 28, 2026. Update to cPanel and WHM version 11.136.0.5 or WP Squared version 136.1.7. Run /scripts/upcp on the server or use the WHM upgrade interface. Check your current version with /usr/local/cpanel/cpanel -V. If patching must be delayed, restrict access to ports 2083 and 2087 to known administrator IPs as an interim mitigation.
What ransomware is deployed in the cPanel CVE-2026-41940 attacks?
Threat actors exploiting CVE-2026-41940 deploy Sorry ransomware, a Go-based Linux encryptor that uses ChaCha20-Poly1305 symmetric encryption with an RSA-2048 protected key. Encrypted files are renamed with a .sorry extension. Attackers also delete server backups to eliminate recovery options. Ransom contact uses the Tox messaging protocol. No public decryptor currently exists for Sorry ransomware.
What is the CISA deadline for SolarWinds Serv-U CVE-2026-28318?
CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog on June 5, 2026. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate by June 19, 2026. The fixed version is SolarWinds Serv-U 15.5.4 Hotfix 1, released June 3, 2026. Non-federal organizations should treat June 19 as the maximum acceptable exposure window rather than a target date.
How do I detect if my cPanel server was compromised via CVE-2026-41940?
Check for these indicators on any cPanel server: files with a .sorry extension indicating ransomware encryption; session files in /var/cpanel/sessions/raw/ containing embedded newline characters; unknown SSH public keys in /root/.ssh/authorized_keys; unauthorized cron jobs via crontab -l and cat /etc/cron.d/*; unknown WHM API tokens in the API Token Manager; and login entries in /var/log/cpanel-login.log from unexpected IP addresses at unusual times.
What is IronWorm malware and how does it spread through npm?
IronWorm is a Rust-based infostealer that infected 36 npm packages with 32,000 combined monthly downloads. It hides inside binary executables triggered via npm preinstall scripts, uses an eBPF kernel rootkit, and communicates over Tor. IronWorm steals API keys for AWS, OpenAI, Anthropic, and npm Publishing credentials, then self-propagates using stolen npm Trusted Publishing tokens to infect additional packages owned by compromised developer accounts.
What Android version is affected by CVE-2025-48595?
CVE-2025-48595 affects Android 14 and later versions. The vulnerability is an elevation-of-privilege flaw in the Android Framework component confirmed by Google as actively exploited in limited, targeted attacks. Google Pixel devices received the June 2026 security patch automatically. Devices from Samsung, OnePlus, Motorola, and other OEMs require separate manufacturer updates that may lag Google's release by days to weeks.
Sources & references
- Shadowserver Foundation - cPanel CVE-2026-41940 Exploitation Data
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: IronWorm malware hits 36 npm packages
- CybelAngel: CVE-2026-41940 Mass cPanel Attack Analysis
- Help Net Security: CISA mandates SolarWinds Serv-U patch by June 19
- Google Android Security Bulletin June 2026
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
