cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
A critical vulnerability in cPanel and WebHost Manager (WHM) is being actively exploited by a threat actor to deploy a backdoor named Filemanager.
A critical vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is currently being actively exploited in the wild. The threat actor, identified as Mr_Rot13, is leveraging this flaw to bypass authentication mechanisms and gain elevated control over compromised hosting environments [The Hacker News].
Once access is obtained, the attacker deploys a backdoor specifically named "Filemanager." This backdoor allows the threat actor to maintain persistent access, execute arbitrary commands, and potentially exfiltrate sensitive data or host malicious content from the compromised servers. The vulnerability poses a severe risk to web hosting providers and their customers who rely on cPanel for server management [The Hacker News].
Administrators are urged to apply the latest security patches provided by cPanel immediately to mitigate the risk of exploitation. Organizations should also conduct thorough forensic reviews of their servers to check for the presence of the Filemanager backdoor or other indicators of compromise associated with this campaign. Monitoring server logs for unusual authentication attempts is highly recommended.