Stealthy Hackers Exploit cPanel Flaw in Active Backdoor Campaign (CVE-2026-41940)
A critical authentication bypass vulnerability in cPanel & WHM is being actively exploited by the threat group Mr_Rot13 to deploy web shells, steal credentials, and install remote-control trojans.
Security researchers at XLab have outlined an active attack campaign targeting CVE-2026-2026-41940, the recently disclosed vulnerability in cPanel & WHM, and have linked it to a stealthy hacking group they've dubbed Mr_Rot13. The vulnerability, a critical authentication bypass, allows an attacker to log into a cPanel server without a username or password, effectively handing them administrator control over the cPanel host system, its configurations and databases, and the websites it manages. it manages.
Once attackers gain access to a vulnerable server, they deploy an "infector" that first changes the server's root password and plants a hidden login key so attackers can return via SSH, then drops a PHP web shell into the cPanel system, allowing remote file browsing and command execution. The attackers also tamper with the cPanel login page itself, injecting code that secretly harvests every username and password and sends them to an attacker-controlled server. A cross-platform remote-control trojan dubbed "Filemanager" is then installed, giving attackers an ongoing window into the compromised machine and the ability to manage it remotely. Database passwords, SSH keys, command history, and other data is exfiltrated both to the attackers' own servers and to a private Telegram group.
XLab's attribution work points to a group they've dubbed "Mr_Rot13" based on the Telegram account handle used by the group's apparent leader and the text-scrambling technique the group uses to hide the address of their command and control (C2) server. The group's C2 domain (wrned.com) has been in active use since at least 2020, the researchers found. This, and the fact that a PHP backdoor associated with that domain has been uploaded to VirusTotal in 2022 and still has zero detections, led them to the conclusion that this is "a stable hacking group capable of operating covertly for years while remaining undiscovered."
Various threat actors have been exploiting CVE-2026-41940 to deploy ransomware, Mirai malware, and steal data. XLab says more than 2,000 attacker-controlled IP addresses worldwide are currently running automated attacks against exposed servers, with traffic originating primarily from Germany, the United States, Brazil, and the Netherlands. Yutaka Sejiyama, Deputy Director of Macnica's Security Research Center, recently shared that 194 out of 1,692 publicly exposed cPanel/WHM servers in Japan have been hit with Sorry ransomware.
CPanel has been updating their security advisory with links to patches for various cPanel and WHM (Web Host Manager) versions and new versions of a detection script. The campaign is ongoing, and XLab has shared indicators of compromise to help defenders identify and mitigate the threat. Organizations running exposed cPanel servers should apply patches immediately and monitor for signs of compromise.