cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Ravie Lakshmanan May 11, 2026 Vulnerability / Ransomware A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940 , a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.
According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation. "Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said. "These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions." Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server ("cp.dene.[de[.]com") that first modifies the compromised cPanel system's root password to "123Qwe123C," plants an SSH public key for persistent access, and then drops a PHP web shell that facilitates file upload/download and remote command execution.
The web shell is then used to inject JavaScript code to serve a customized login page to steal login credentials and siphon them to an attacker-controlled system that's encoded using the ROT13 cipher (" wrned[.]com "). Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems. The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named "0xWR." In the infection sequence analyzed by XLab, Filemanager is delivered via a shell script downloaded from the "wpsock[.]com" domain.
The backdoor supports file management, remote command execution, and shell functionality. There are signs that the threat actor behind the operation has been operating silently in the shadows for years. This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor (" helper.php ") that was uploaded to the VirusTotal platform in April 2022.
The domain was first registered in October 2020. "Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low," XLab said. Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share Authentication bypass , Backdoor , botnet , cPanel , Credential Theft , Cryptomining , cybersecurity , ransomware , Vulnerability , WebHost Manager ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.