Over 40,000 servers have been compromised in an ongoing exploitation campaign targeting a critical cPanel authentication bypass vulnerability, making it one of the largest server compromise events of 2026. According to The Shadowserver Foundation, threat actors are actively exploiting CVE-2026-41940, which provides unauthenticated attackers with administrative access to cPanel & WebHost Manager (WHM) platforms.
The vulnerability affects all cPanel versions after 11.40 and allows attackers to take complete control of host systems, compromising all configurations, databases, and websites managed by the platform.
Critical Authentication Bypass Enables Mass Exploitation
CVE-2026-41940 exploits special characters in authorization headers to write parameters to a session file, then triggers a reload to authenticate using injected administrative credentials. SecurityWeek reported that the vulnerability was likely exploited as a zero-day since late February 2026, with activity spiking after public disclosure on April 28.
Rapid7 warned that approximately 1.5 million cPanel instances remain accessible from the internet, representing a massive attack surface. The Shadowserver Foundation’s honeypot sensors detected the spike in exploitation attempts, with compromised systems primarily located in the United States, France, and the Netherlands.
Threat intelligence firm WatchTowr’s publication of technical exploitation details further accelerated attack activity across the vulnerable infrastructure.
https://x.com/Shadowserver/status/2050208472386396568
Healthcare Sector Faces Mounting Ransomware Pressure
The cPanel exploitation campaign coincides with continued ransomware pressure on healthcare organizations. Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 individuals, discovered on May 8, 2025, but only publicly disclosed nearly one year later.
The Inc Ransom group listed Sandhills Medical on its leak website in June 2025 and has since made stolen files available for download. Compromised data includes Social Security numbers, driver’s licenses, financial information, and personal health records.
Meanwhile, a Latvian member of the Karakurt ransomware gang received an 8.5-year prison sentence for his role in extorting victims. Deniss Zolotarjovs, 35, served as a negotiator between June 2021 and March 2023, during which Karakurt hit at least 53 entities and caused $56 million in losses.
Ransomware Groups Turn on Each Other
In an unusual development, two newer ransomware-as-a-service operations—0APT and KryBit—have engaged in attacks against each other, exposing infrastructure and operational data. The Halcyon Ransomware Research Center reported that 0APT emerged in January with a fabricated victim list before going quiet, then reemerged in April claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.
KryBit launched in March offering ransomware kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate model. The group published 10 legitimate victims in its first two weeks of operation.
The feuding groups’ mutual attacks have provided defenders with rare insight into ransomware operations, infrastructure, and tactics typically hidden from security researchers.
Vect 2.0 Ransomware Contains Fatal Design Flaw
The emerging Vect 2.0 ransomware contains a critical design error that causes it to act as a wiper rather than traditional ransomware for files larger than 128KB. Check Point Software discovered that the flaw exists across Windows, Linux, and VMware ESXi variants, permanently destroying files instead of encrypting them for ransom.
The malware encrypts four independent chunks of each large file using four randomly generated nonces but only appends the final nonce to the encrypted file on disk. This discards three of four decryption nonces required for recovery, making data restoration impossible even if victims pay the ransom.
Vect 2.0 has been deployed against victims of TeamPCP supply chain attacks, but the wiper functionality eliminates any possibility of file recovery, complicating the attackers’ extortion model.
What This Means
The cPanel vulnerability represents a significant supply chain risk, as compromised hosting providers can impact thousands of downstream websites and applications. With 1.5 million potentially vulnerable instances and active exploitation, organizations using cPanel must prioritize immediate patching.
The healthcare sector continues facing disproportionate ransomware targeting, with attackers specifically exploiting the sensitive nature of patient data for leverage. The one-year delay in Sandhills Medical’s disclosure highlights ongoing challenges in incident response and notification timelines.
The infighting between ransomware groups and design flaws in newer variants like Vect 2.0 suggest the ransomware ecosystem faces internal pressures and quality control issues as law enforcement increases pressure on established operations.
FAQ
How can organizations protect against the cPanel vulnerability?
Organizations should immediately update to patched cPanel versions (11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, or later) and follow cPanel’s instructions for identifying potential compromises. Network segmentation and monitoring for unusual administrative activity can help detect exploitation attempts.
Why are healthcare organizations frequent ransomware targets?
Healthcare organizations store highly sensitive patient data and often have limited cybersecurity resources due to budget constraints. The critical nature of healthcare operations creates pressure to pay ransoms quickly to restore services, making these organizations attractive targets for cybercriminals.
Should organizations pay ransoms if hit by Vect 2.0?
No. Due to the design flaw that permanently destroys files larger than 128KB, paying the ransom will not result in data recovery. Organizations should focus on restoring from backups and implementing stronger backup strategies to protect against future wiper attacks disguised as ransomware.
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Over 40,000 Servers Compromised in Ongoing cPanel Exploitation – SecurityWeek
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
