BleepingComputer has reported that a critical cPanel flaw is currently being actively exploited by the 'Sorry' ransomware gang in mass-scale attacks. The vulnerability provides direct entry to web hosting control panels—systems that manage email, domains, files, and databases for entire businesses.
Why this matters: cPanel is one of the internet's most widely deployed web hosting management platforms. A critical flaw here doesn't just compromise one system—it can expose entire hosting accounts, client data, and backups simultaneously. Ransomware operators understand this leverage: they can encrypt customer data, demand payment from both the hosting provider and affected businesses, and threaten to leak sensitive information.
The 'Sorry' campaign's choice to mass-exploit a cPanel vulnerability signals operational efficiency on the attacker's side—automated scanning, exploitation, and deployment at scale. This is not surgical targeted attack; this is spray-and-pray infrastructure compromise.
For preparedness context: hosting compromise creates a cascading failure scenario. If your business, email, or web presence runs on a vulnerable cPanel server, you lose control of your digital operations—not just your website, but customer communications, transaction records, and recovery backups if the attacker chains backup deletion into the attack chain.
Small and mid-market businesses relying on shared hosting are at highest immediate risk, but even dedicated cPanel installations are exposed if patches haven't been applied.
The fact that this is already in active exploitation means discovery-to-weaponization cycle is complete. Patching lag is now the only defense. Organizations managing cPanel infrastructure—or relying on hosting providers running it—should verify patch status immediately with their providers or internal teams.
