cPanel CVE-2026-41940 Under Active Exploitation - Filemanager Backdoor

Security researchers at QiAnXin XLab have identified active exploitation of CVE-2026-41940, a critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM). The threat actor designated "Mr_Rot13" has been leveraging this flaw to deploy a sophisticated backdoor named "Filemanager" on compromised servers. According to XLab's monitoring data, over 2,000 attacker source IPs worldwide are currently conducting automated attacks targeting this vulnerability, with the majority originating from Germany, the United States, Brazil, and the Netherlands. Organizations running cPanel/WHM should immediately audit their installations for signs of compromise using tools like our port scanner to identify unauthorized access.

The attack chain initiates when threat actors exploit CVE-2026-41940 to gain initial access, followed by deployment of a shell script that uses wget or curl to download a Go-based infector from the command-and-control domain "cp.dene.[de.]com". This infector is designed to implant compromised cPanel systems with SSH public keys for persistent access and drops a PHP web shell facilitating file upload/download and remote command execution. The web shell subsequently injects JavaScript code to serve a customized phishing login page, stealing credentials which are then exfiltrated to "wrned[.]com" using ROT13 encoding. Attackers also collect sensitive data including bash history, SSH keys, device information, database passwords, and cPanel virtual aliases (valiases), transmitting everything to a 3-member Telegram group operated by a user identified as "0xWR."

The Filemanager backdoor, delivered via "wpsock[.]com," provides file management capabilities, remote command execution, and shell functionality across Windows, macOS, and Linux platforms. XLab's analysis reveals this threat actor has operated covertly since at least 2020, with the C2 domain embedded in the malicious JavaScript first appearing in a PHP backdoor ("helper.php") uploaded to VirusTotal in April 2022. Notably, the detection rate across security products has remained extremely low over six years. Security teams should use our WHOIS lookup tool to investigate suspicious domains and conduct thorough email breach checker scans for any potentially compromised credentials associated with cPanel installations.