Sorry Ransomware Hit cPanel: Why Your Maldives Resort Website Is One Exploit Away From Going Dark
Bottom line
The threat is real and active. Attackers gained root on cPanel servers with a single request — no password, no brute force — then ran ransomware that encrypts every site on the server and wipes the backups first.
"My host handles security" is half true. Your host patches the server. You are responsible for WordPress, plugins, and themes — and that is where most attacks land.
A dark booking site is a revenue problem. A breached one is a legal problem under PCI-DSS and the Maldives Data Protection Act 2021.
Do these five things this week:
- Confirm with your host that CVE-2026-41940 is patched (build 11.136.0.5 or later).
- Set up an automated backup that lives off your hosting server, and test a restore.
- Put a cloud WAF in front of the site — Cloudflare shipped an emergency rule for this CVE.
- Turn on auto-updates for WordPress core and all plugins; delete what you do not use.
- Enable multi-factor authentication on wp-admin and cPanel/WHM.
The rest of this post explains why each of these matters, and what to do if you are already too late.
What actually happened
CVE-2026-41940 is a specific, documented flaw that attackers were exploiting while cPanel was still writing the patch.
| Property | Detail |
|---|---|
| CVE ID | CVE-2026-41940 |
| Severity | CVSS 9.8 Critical |
| Type | Authentication bypass (CRLF injection in session handling, CWE-306) |
| Attack vector | Network, unauthenticated, no user interaction |
| Affected | All cPanel & WHM after 11.40; WP Squared up to 136.1.7 |
| Patched | ~28 April 2026 (build 11.136.0.5 and branch equivalents) |
| Status | On CISA's Known Exploited Vulnerabilities (KEV) list |
The exploit is unusually clean. One crafted login request injects a line break into the attacker's session file, writing user=root. The server reads it and hands them control of the panel. No credentials required. From there they reach every website on the shared server.
Two things make this especially bad for small operators.
First, the timeline: exploitation began around 23 February 2026, roughly 64 days before a patch existed. Attacks then surged within 48 hours of the fix, as criminals raced to hit servers that had not yet updated.
Second, the payload. "Sorry" ransomware — a Go/Linux encryptor — deletes on-server backups before it encrypts your files, using ChaCha20 with an embedded RSA-2048 key, so there is no free decryption. If your only backup sits on the same hosting account as your site, you have nothing to restore from.
auth bypass] B --> C[Attacker becomes root
on the panel] C --> D[Web shell & credential theft] D --> E[Sorry ransomware encrypts sites] E --> F[On-server backups wiped] F --> G[Booking site dark]
The scale is significant. Censys identified approximately 7,135 confirmed cPanel hosts already showing signs of the campaign. Shadowserver flagged around 44,000 likely-compromised IPs. Vendor and Shodan telemetry puts roughly 1.5 million exposed instances in scope, across approximately 70 million domains. These are estimates — but the order of magnitude is not in doubt.
Why your host won't save you
Shared hosting splits responsibility in a way that catches most resort owners off guard.
| Layer | Who patches it | Examples |
|---|---|---|
| Server | Your host | cPanel/WHM, operating system, PHP |
| Application | You | WordPress core, plugins, themes |
The application layer is where the danger lives. Patchstack's 2026 report found approximately 92% of WordPress breaches start in plugins and themes — your responsibility, not your host's. Budget hosts patch the server layer slowly: updating thousands of customer accounts at once risks breaking sites, so they move carefully. The 64-day zero-day window on CVE-2026-41940 shows exactly how long that gap stays open.
Both layers are your business risk.
If your site is already down
Speed matters, but sequence matters more. Cleaning up before you preserve evidence destroys the forensic trail. Work through these in order:
- Contain. Take the site offline or into maintenance mode. Lock wp-admin and WHM access to your office IP address. Change nothing else — logs are evidence.
- Rotate every credential. WordPress admin accounts, cPanel/WHM, the database, FTP/SFTP, and the hosting account itself. Assume all are compromised.
- Scan from the server, not a plugin. Malware disables security plugins. A hacked site cannot audit itself cleanly.
- Restore from a clean, off-server backup. Never try to clean in place and hope. Use a backup taken before the compromise date.
- Patch before relaunch. Confirm the cPanel fix is applied, update WordPress and every plugin, and delete unused ones before the site goes live again.
- Keep bookings moving. Switch to phone or email reservations, or a holding page, so revenue does not stop while you recover.
- Notify guests if data was exposed. Under the rules below, this is a legal duty, not a PR choice.
Why this matters in the Maldives
No Maldivian resort has been publicly named in this campaign. Smaller regional victims rarely reach international threat intelligence feeds, so absence of headlines is not absence of risk.
What is on the record: in January 2024, hacktivists defaced multiple Maldives government websites, including the Ministry of Tourism. Tourism infrastructure here is already a recognised target. Add a global ransomware campaign aimed at the exact stack most resort sites run on, and the risk is concrete, not theoretical.
The compliance picture raises the stakes further:
- PCI-DSS applies to any resort taking card payments. It requires timely patching, access controls, and a documented breach response.
- The Maldives Data Protection Act 2021 imposes duties to protect personal data and notify affected individuals in the event of a breach.
- GDPR applies to guest data belonging to EU citizens — a common scenario for Maldivian resorts drawing European visitors.
A site that goes dark is a lost-revenue story. A site that is breached — with an attacker holding root over booking records, passport scans, and payment data — is a regulatory story with a much longer tail.
Harden it now
CVE-2026-41940 will not be the last critical flaw in this stack. The slow-patch, large-plugin-surface pattern is structural. The defences, however, are not complicated — most are configuration, not engineering:
- Off-server backups, retained for at least 30 days, with restores actually tested. An untested backup is not a backup.
- A cloud WAF in front of the site. Cloudflare shipped an emergency rule specifically for CVE-2026-41940 — a WAF buys critical time when your host is slow to patch.
- Auto-updates for WordPress core and all active plugins. Delete themes and plugins you are not using.
- MFA on both wp-admin and cPanel/WHM — a compromised password alone should never be enough.
- Least-privilege accounts. Remove default admin usernames and any accounts that are no longer in active use.
The gap between "we have a website" and "we have a hardened website" is smaller than most owners think, and far cheaper than one lost booking day.
CyberCloud runs cPanel and WordPress security audits for resorts and tourism businesses across the Maldives — hardening configurations, applying emergency patches, and responding fast when a site goes dark. If you are not certain your current setup would survive a serious attempt, start with a security assessment.
References
- NVD — CVE-2026-41940 — NIST National Vulnerability Database, April 2026
- CVE-2026-41940: cPanel & WHM Authentication Bypass — Rapid7, April 2026
- cPanel zero-day exploited for months before patch release — Help Net Security, April 2026
- CISA Known Exploited Vulnerabilities Catalog — CVE-2026-41940 — CISA, April 2026
- Critical cPanel flaw mass-exploited in Sorry ransomware attacks — BleepingComputer, May 2026
- The cPanel Situation — Censys, May 2026
- State of WordPress Security 2026 — Patchstack, 2026
- Cyberattack on Maldives Government — The Cyber Express, January 2024