Critical cPanel Vulnerability CVE-2026-41940 Exploited by Mr_Rot13 to Deploy Filemanager Backdoor

TL;DR — Threat actor Mr_Rot13 is actively exploiting CVE-2026-41940, a critical authentication bypass in cPanel and WebHost Manager, to deploy a cross-platform backdoor called Filemanager. More than 2,000 attacker source IPs worldwide are involved in automated exploitation. The attack chain combines SSH key implantation, PHP web shells, and credential theft to establish persistent access on compromised hosting environments.

What happened

QiAnXin XLab has documented active exploitation of CVE-2026-41940 by the threat actor Mr_Rot13 and multiple other attackers following the vulnerability's public disclosure. The flaw allows authentication bypass and grants remote attackers elevated control of cPanel and WebHost Manager control panels.

The exploitation chain begins with a shell script that downloads a Go-based infector from cp.dene.[de[.]com using wget or curl. Once executed, the infector implants an SSH public key into the compromised cPanel system to establish persistent SSH access. Simultaneously, it deploys a PHP web shell that enables file upload/download operations and remote command execution.

The PHP web shell injects JavaScript code to serve a customized login page designed to harvest administrator credentials. Captured credentials are exfiltrated to wrned[.]com and encoded using ROT13 obfuscation. Following credential theft, the attack proceeds to deploy Filemanager, a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems. In the infections analyzed by XLab, Filemanager is delivered via a shell script downloaded from wpsock[.]com.

The backdoor collects sensitive data from compromised hosts, including bash history, SSH session data, device information, database passwords, and cPanel virtual aliases (valiases). This harvested information is sent to a Telegram group containing three members, operated by a user identified as "0xWR."

According to XLab monitoring data, more than 2,000 attacker source IPs are currently engaged in automated attacks targeting CVE-2026-41940. These IPs originate primarily from Germany, the United States, Brazil, the Netherlands, and other regions globally. The report attributes malicious activities including cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation to exploitation of this vulnerability, though the report does not specify which activities are attributed specifically to Mr_Rot13 versus other threat actors.

Mr_Rot13 has maintained low visibility across the threat landscape for approximately six years. XLab notes that the command-and-control domain embedded in the current attack's JavaScript code was previously used in a PHP backdoor (helper.php) uploaded to VirusTotal in April 2022. Domain registration records indicate first registration in October 2020.

Why it matters

For Moroccan and MENA-region hosting providers, developers, and system administrators, this vulnerability represents an immediate operational risk. Any unpatched cPanel or WHM installation is a potential entry point for persistent backdoor deployment. The multi-stage attack chain—progressing from authentication bypass through SSH key persistence to credential harvesting and cross-platform backdoor delivery—demonstrates a sophisticated threat model designed to survive system reboots and account changes.

The involvement of 2,000+ attacker IPs indicates broad, automated scanning and exploitation activity. Organizations running cPanel should anticipate sustained scanning pressure if they remain unpatched. The persistent SSH access component is particularly significant: once an SSH public key is implanted, the attacker maintains access independent of panel credential rotations or password resets, complicating containment and recovery.

The exfiltration of cPanel valiases, database passwords, and SSH data enables lateral movement to downstream systems managed through the compromised panel. Hosting environments with multiple customer accounts face cascading compromise risk. The low detection rates over six years of Mr_Rot13 operations also suggest that signature-based defenses may be insufficient; behavioral detection and network monitoring become critical.

Affected systems and CVEs

cPanel — CVE-2026-41940
WebHost Manager (WHM) — CVE-2026-41940

The specific version numbers of cPanel and WHM affected by CVE-2026-41940 are not stated in the advisory.

What to do

Apply patches immediately — Patch CVE-2026-41940 on all cPanel and WebHost Manager systems. Verify patch deployment across all hosting infrastructure.
Audit existing SSH keys — Review authorized SSH public keys on all cPanel systems, particularly system-level keys. Remove any suspicious or unrecognized keys.
Scan for web shells — Search the file system for PHP files matching the pattern helper.php or other anomalous web shell files. Focus on cPanel-accessible directories and document roots.
Monitor network connections — Block outbound traffic to known C2 domains, particularly wrned[.]com, cp.dene.[de[.]com, and wpsock[.]com. Review firewall logs for connection attempts to these domains.
Review access logs — Examine cPanel access logs, Apache/Nginx logs, and SSH authentication logs for unauthorized file uploads, command execution, or login attempts from unfamiliar source IPs, particularly from Germany, the United States, Brazil, and the Netherlands.
Inspect for SSH public key persistence — Examine /root/.ssh/authorized_keys and user-level .ssh directories for keys added after the vulnerability's public disclosure.
Monitor Telegram communication — If feasible within your environment's security tooling, monitor for indicators of outbound Telegram API communication, which may indicate active data exfiltration.
Segment hosting environments — Isolate compromised systems from production databases and other infrastructure until forensic analysis is complete.

Open questions

The source does not specify which versions of cPanel and WHM are affected by CVE-2026-41940 or whether patches have been released as of the report date.
It is unclear whether cryptocurrency mining, ransomware, and botnet propagation attributed to CVE-2026-41940 exploitation are activities of Mr_Rot13 specifically or are conducted by the broader pool of 2,000+ attacker IPs.
The report does not indicate how soon after public disclosure exploitation began or whether there was a lag between announcement and active exploitation.
Technical details and capabilities of the Telegram group operator "0xWR" beyond group membership are not provided.
The advisory does not specify whether the Go-based infector and PHP web shell components are exclusive to Mr_Rot13 or have been adopted by other threat actors in the broader exploitation campaign.