Over 44,000 servers have been compromised in an ongoing exploitation campaign targeting a critical cPanel zero-day vulnerability, according to The Shadowserver Foundation. The attacks exploit CVE-2026-41940, a critical authentication-bypass flaw in cPanel & WebHost Manager (WHM) that was disclosed on April 28, 2026.
The vulnerability allows unauthenticated attackers to gain administrative access to cPanel instances by using special characters in authorization headers to inject credentials into session files. SecurityWeek reported that attackers can then trigger a session reload to authenticate with the injected administrative credentials, effectively taking over the host system and compromising all managed configurations, databases, and websites.
Exploitation Timeline and Scale
Security researchers believe CVE-2026-41940 was exploited as a zero-day since late February 2026, with activity significantly increasing after the public disclosure. The exploitation campaign intensified further after threat intelligence firm WatchTowr published technical details of the vulnerability.
Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, creating a massive attack surface. The Shadowserver Foundation’s honeypot sensors detected the peak compromise count on Friday, with most affected systems located in the United States, followed by France and the Netherlands.
As of May 3, 2026, the number of actively compromised systems has dropped significantly from the peak, though thousands remain vulnerable.
Healthcare Sector Under Siege
The healthcare sector continues to face severe ransomware attacks, with Sandhills Medical Foundation disclosing a breach affecting nearly 170,000 individuals. The South Carolina-based healthcare provider discovered the ransomware attack on May 8, 2025, but only disclosed the incident publicly nearly one year later.
The Inc Ransom group claimed responsibility for the attack and listed Sandhills Medical on its leak website in early June 2025. Compromised data includes Social Security numbers, driver’s licenses, financial information, and personal health records. The ransomware group has since made the allegedly stolen files available for download.
This incident highlights the extended timeline between initial compromise and public disclosure that often characterizes healthcare breaches, giving threat actors ample time to monetize stolen data.
Ransomware Groups Turn on Each Other
In an unusual development, two ransomware-as-a-service operations, 0APT and KryBit, have engaged in cyberattacks against each other, according to Halcyon Ransomware Research Center. The feud has exposed infrastructure and operational data from both groups, providing rare insight into ransomware operations.
0APT initially emerged in late January 2026 with a fabricated victim list of nearly 200 organizations. After going quiet for months, the group reemerged in mid-April claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.
KryBit, which launched in late March 2026, offers ransomware-as-a-service kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate revenue model. The group published 10 legitimate victims in its first two weeks of operation.
Flawed Ransomware Acts as Data Wiper
The Vect 2.0 ransomware variant contains a critical design flaw that causes it to permanently destroy files larger than 128KB instead of encrypting them, Check Point Software reported. This makes the malware function as a wiper rather than traditional ransomware, eliminating the possibility of data recovery even if victims pay the ransom.
The flaw affects all platform variants (Windows, Linux, and VMware ESXi) and stems from the malware’s ChaCha20-IETF encryption implementation. While Vect encrypts large files using four random nonces, it only saves the final nonce to disk, making the first three chunks of each file permanently unrecoverable.
This design error effectively destroys enterprise assets including virtual machine disks, databases, documents, and backups, making Vect 2.0 far more destructive than its operators intended.
US Cybersecurity Experts Sentenced for Ransomware Crimes
Two cybersecurity professionals who turned to ransomware operations have each received 4-year prison sentences. SecurityWeek reported that Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy charges related to their role in BlackCat/Alphv ransomware attacks.
The defendants worked as ransomware negotiators at cybersecurity firms before deciding to conduct their own attacks. They paid 20% of ransom proceeds to BlackCat administrators while keeping 80% for themselves, receiving approximately $1.2 million from one victim.
A third defendant, Angelo Martino from Florida, also pleaded guilty and awaits sentencing on July 9, 2026. The BlackCat operation targeted over 1,000 organizations between November 2021 and December 2023 before being disrupted by law enforcement.
What This Means
The cPanel zero-day exploitation demonstrates how quickly threat actors can weaponize newly disclosed vulnerabilities at scale. With 1.5 million potentially vulnerable instances and 44,000 confirmed compromises, this campaign shows the critical importance of rapid patch deployment for internet-facing management platforms.
The healthcare sector’s continued vulnerability to ransomware attacks, combined with extended disclosure timelines, creates ongoing risks for patient data. The Sandhills Medical incident’s year-long delay between detection and disclosure highlights gaps in breach notification requirements.
The emergence of flawed ransomware like Vect 2.0 that acts as a wiper rather than encryption tool represents a concerning trend toward more destructive attacks. Organizations face permanent data loss regardless of ransom payment, fundamentally changing the risk calculus for incident response.
FAQ
What should cPanel users do immediately?
Update to the latest patched versions (11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19) and follow cPanel’s official guidance for identifying potential compromises. All versions after 11.40 are vulnerable.
How can organizations detect if they’ve been hit by Vect 2.0 ransomware?
Check if files larger than 128KB have been corrupted rather than properly encrypted. If large files are unrecoverable even with supposed decryption tools, the system was likely hit by Vect 2.0’s flawed implementation.
What makes the BlackCat prosecutions significant?
These are among the first cases where cybersecurity professionals working as ransomware negotiators have been prosecuted for crossing into criminal activity. The sentences establish precedent for prosecuting insider threats within the cybersecurity industry.
Related news
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
