What began as an actively-exploited cPanel authentication bypass (CVSS critical) has evolved into a large-scale crisis. Multiple distinct threat actors are now mass-exploiting CVE-2026-41940: website defacement campaigns are running at scale, a Go-based ransomware strain named 'Sorry' is encrypting hosts and appending a .sorry extension to files, and espionage actors have been confirmed targeting government entities in South-East Asia alongside MSPs in the Philippines, Laos, Canada, South Africa, and the United States. Censys has identified 8,859 hosts with open directories containing .sorry-encrypted files; confirmed compromised cPanel instances now total at least 44,000. This escalation makes immediate patching mandatory for any operator running cPanel. The authentication bypass allows unauthenticated attackers to gain access to administrative interfaces, which exploitation chains are leveraging to deploy ransomware payloads and establish persistent footholds for espionage operations. All cPanel administrators must apply the available patch without delay and audit hosts for indicators of compromise, including unexpected .sorry-extension files, unauthorized user accounts, or anomalous outbound traffic patterns.