Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks.
Ops Pack
triage-ready iocs + detections
fresh
1
IOC Workbench
typed indicators with fast copy and export actions
3 total
cCVE-2026-41940
uhttps://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
dwww.bleepingcomputer.com
3 indicators staged for handoff.
2
Rule Studio
starter detections generated from this IOC set
2 formats
!Draft output: validate and tune before production rollout.
sigmadraft
title: AHackaday IOC starter detection
id: ahackaday-2026-05-02-critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks-624b230d
description: IOC starter rule for Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
status: experimental
author: ahackaday
logsource:
product: network
detection:
selection_iocs:
- "CVE-2026-41940"
- "https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/"
- "www.bleepingcomputer.com"
condition: selection_iocs
falsepositives:
- unknown
level: high
coverage
yaradraft
rule ahackaday_2026_05_02_critrical_cpanel_flaw_mass_exploited_in_sorry_ransomware_attacks_624b230d
{
meta:
description = "IOC starter for Critrical cPanel flaw mass-exploited in 'Sorry' ransomware attacks"
author = "ahackaday"
strings:
$ioc1 = "CVE-2026-41940" nocase
$ioc2 = "https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/" nocase
$ioc3 = "www.bleepingcomputer.com" nocase
condition:
any of them
}
coverage
3
Response Tracks
fast operational tracks from this incident snapshot
4 tracks
source-backed 1 refs
audit trail / provenance4
Provenance
Claims tie surfaced fields back to sources, models, or heuristics.
- severity.upliftheuristicn/aCVE or advisory identifiers detected — floor raised to at least high.
- severity.upliftheuristicn/aActive exploitation / in-the-wild language detected — floor raised to at least high.
- severity.upliftheuristicn/aRansomware campaign indicators detected — floor raised to at least high.
- severity.upliftheuristicn/aCombined zero-day/exploit + ransomware/mass-impact signals → critical.
What changed
Append-only revisions when ingest or analysts evolve the record.
No revision rows stored yet.
Sources
Curated May 02, 2026 by the ahackaday team./Sources verified./Brief grounded in 1 source.
discussion
Sign in to join the thread and vote on comments.
Loading comments…