VYPR
breachPublished Apr 29, 2026· Updated May 20, 2026· 2 sources

Critical cPanel Authentication Bypass CVE-2026-41940 Under Active Exploitation

A critical authentication bypass vulnerability in cPanel and WebHost Manager, CVE-2026-41940, is being actively exploited by threat actors to deploy backdoors and harvest credentials on a global scale.

A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is currently being exploited by threat actors to gain elevated control over compromised systems. Security researchers at QiAnXin XLab report that the flaw is being leveraged to deploy a Go-based infector and a PHP web shell, enabling a wide range of malicious activities including ransomware deployment, cryptocurrency mining, and botnet propagation The Hacker News.

The vulnerability allows remote attackers to bypass authentication mechanisms, granting them unauthorized access to the control panel. Once inside, attackers execute a shell script—typically retrieved via wget or curl—that downloads a Go-based infector from a remote server. This infector immediately hardens the attacker's foothold by changing the root password to "123Qwe123C" and installing an SSH public key for persistent, long-term access The Hacker News.

The attack chain further involves the deployment of a PHP web shell, which facilitates file management and remote command execution. Attackers use this shell to inject malicious JavaScript into the cPanel login page, effectively turning it into a credential-harvesting portal. Stolen credentials are then exfiltrated to an attacker-controlled system, which uses the ROT13 cipher to obfuscate the data. The infector also harvests sensitive system data, such as bash history, database passwords, and SSH configurations, transmitting this information to a Telegram group managed by an actor identified as "0xWR" The Hacker News.

The scale of the campaign is significant, with QiAnXin XLab monitoring over 2,000 unique attacker source IP addresses globally. These malicious nodes are distributed across several regions, with the highest concentrations of activity originating from the United States, Germany, Brazil, and the Netherlands. The ultimate payload, a backdoor codenamed "Filemanager," is cross-platform, capable of infecting Windows, macOS, and Linux environments The Hacker News.

Attribution efforts point to a threat actor known as "Mr_Rot13," who appears to have been operating with minimal detection for years. Evidence suggests this actor has been active since at least 2020, with infrastructure and samples linked to the current campaign appearing in security telemetry as early as April 2022. The actor's ability to remain under the radar for six years highlights the sophisticated, long-term nature of this operation The Hacker News.

As exploitation continues, administrators are urged to prioritize patching their cPanel and WHM installations. The rapid weaponization of CVE-2026-41940 underscores the critical need for timely updates, as the vulnerability is being actively used to facilitate everything from simple credential theft to the deployment of complex, multi-stage backdoors. Organizations should monitor for unauthorized changes to root passwords and the presence of suspicious PHP files or unexpected SSH keys on their servers.

watchTowr Labs published a technical deep-dive into CVE-2026-41940, revealing that the authentication bypass stems from a session-loading flaw in Session.pm, Session/Load.pm, and Session/Encoder.pm. The patch moves a filter_sessiondata call inside saveSession to prevent CRLF injection that could allow attackers to manipulate session files and escalate privileges. The analysis confirms that all currently supported cPanel & WHM versions are affected, and KnownHost has verified active zero-day exploitation against the management plane of a significant portion of the internet.

Synthesized by Vypr AI