CVE-2026-41940 Exploitation Ransomware Attack

Hello cPanel Community,

I wanted to share my experience as a victim of CVE-2026-41940 exploitation, along with a detailed technical analysis of what happened, hoping this helps other server owners identify and recover from similar attacks.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HOW THE ATTACK WAS DISCOVERED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The attack was initially discovered through a cPanel/WHM error related to a missing JSON file. Upon investigation, we found clear evidence of a full server compromise. The first red flag was an unauthorized user account with UID=0 (root-level privileges) that we did not create.

Running basic security checks revealed:
- Unauthorized root-level user accounts created without our knowledge
- SSH backdoors planted on multiple non-standard ports (2222, 8080, 22000)
- Malicious SSH keys added to /root/.ssh/authorized_keys
- Evidence of lateral movement across the server

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 WHAT THE ATTACKER DID (Step by Step)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━

By analyzing the bash history, we were able to reconstruct the complete attack chain:

INITIAL ACCESS via CVE-2026-41940
The attacker exploited the authentication bypass vulnerability to gain unauthenticated root access to WHM without any credentials.

PERSISTENCE & BACKDOORS
- Changed the root password
- Created a new user with UID=0 (same privileges as root)
- Added their SSH public key to authorized_keys
- Enabled password authentication on SSH
- Opened additional SSH ports (2222, 8080, 22000)
- Added sudo privileges to an existing cPanel user

 RECONNAISSANCE
The attacker ran extensive recon scripts to gather:
- System information (/proc/version, uname)
- Network configuration (ip addr, netstat)
- SSH keys and configuration files
- Bash history files from all users
- Environment variables
- Running processes and open ports

CREDENTIAL THEFT
- Read /etc/shadow (all password hashes)
- Extracted all SSH private keys
- Searched for API keys (OpenAI, AWS, GitHub, Stripe, and others)
- Searched for database connection strings

MALWARE DEPLOYMENT - DDoS Bot
The attacker downloaded and executed a binary called 'nuclear.x86' multiple times:
- Downloaded from external malicious servers
- Executed immediately after download
- Deleted after execution to avoid detection
- This binary was used to launch DDoS attacks against external targets
- Our server was reported by our hosting provider for participating in DDoS attacks - this was actually how we first learned something was wrong

RANSOMWARE DEPLOYMENT
The most destructive phase:
- Downloaded and executed ransomware scripts from external servers
- ALL PHP files were encrypted with a .sorry extension
- ALL uploaded images and media files were encrypted
- ALL theme files were encrypted
- ALL plugin files were encrypted
- Over 44,000 files were encrypted in total
- A ransom demand was implied through the .sorry extension

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 IMPACT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━

- Complete loss of all website files (themes, plugins, media)
- Server used as DDoS attack platform
- Credentials potentially compromised
- Two servers affected (the attack appears to have been automated and targeted multiple servers simultaneously)
- Complete server rebuild required

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 HOW WE RECOVERED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Extracted database backup before destroying the compromised server
2. Restored files from an old snapshot (taken before the attack)
3. Built a completely new server with patched cPanel version
4. Updated all credentials (database, WordPress, cPanel)
5. Enabled SSL, Firewall, and additional security measures

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 IMPORTANT OBSERVATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. The attack was FULLY AUTOMATED - the entire attack chain from initial access to ransomware deployment happened within minutes

2. 2FA DID NOT HELP - CVE-2026-41940 bypasses both password AND two-factor authentication completely

3. The ransomware encrypted files with a .sorry extension

4. The attacker also searched specifically for AI API keys (Anthropic, OpenAI), cloud credentials (AWS), and payment processor keys (Stripe) - make sure to rotate ALL API keys if you were affected