Ethical Hacking News
A critical vulnerability in cPanel has been exploited by a threat actor known as Mr_Rot13, who has successfully deployed a backdoor codenamed Filemanager on compromised environments. The attack enables remote attackers to gain elevated control of the system and facilitates various malicious activities such as cryptocurrency mining, ransomware attacks, botnet propagation, and unauthorized file management.
Critical vulnerability CVE-2026-41940 in cPanel and WebHost Manager (WHM) has been exploited by Mr_Rot13.Attack enables remote attackers to gain elevated control of the cPanel system, facilitating various malicious activities.Backdoor allows for cryptocurrency mining, ransomware attacks, botnet propagation, and unauthorized file management.Mr_Rot13's command-and-control (C2) domain was registered in October 2020 and used in a PHP-based backdoor since April 2022.Overs 2,000 attacker source IPs worldwide are involved in automated attacks targeting this vulnerability.Filemanager backdoor can infect Windows, macOS, and Linux systems, making it a versatile tool for cybercriminals.Importance of keeping software up-to-date and patched, as well as robust cybersecurity measures to prevent such attacks.
The threat landscape has witnessed numerous cyber attacks in recent years, with hackers continually seeking innovative ways to bypass security measures and exploit vulnerabilities. Recently, a critical vulnerability in cPanel and WebHost Manager (WHM) CVE-2026-41940 has been exploited by a threat actor known as Mr_Rot13, who has successfully deployed a backdoor codenamed Filemanager on compromised environments. The attack, which is currently under active exploitation, enables remote attackers to gain elevated control of the cPanel system.
The vulnerability in question is a critical flaw that can result in an authentication bypass and allow malicious actors to access sensitive information within the system. Once exploited, Mr_Rot13's Filemanager backdoor facilitates various malicious activities such as cryptocurrency mining, ransomware attacks, botnet propagation, and unauthorized file management. Furthermore, the backdoor allows remote attackers to steal login credentials by injecting JavaScript code that serves a customized login page.
The threat actor behind the operation has been identified as Mr_Rot13, who is believed to have been operating in the shadows for years. The command-and-control (C2) domain used in the attack has been registered since October 2020 and was first put to use in a PHP-based backdoor uploaded to VirusTotal in April 2022. Despite being detected across security products, Mr_Rot13's related samples and infrastructure have remained extremely low in detection rates.
Monitoring data from QiAnXin XLab reveals that over 2,000 attacker source IPs worldwide are currently involved in automated attacks targeting this vulnerability. These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions. The attack sequence involves a shell script that downloads a Go-based infector from a remote server ("cp.dene.[de[.]com") designed to implant a compromised cPanel system with an SSH public key for persistent access.
Once the backdoor is deployed, it allows remote attackers to execute various malicious activities such as file management, remote command execution, and shell functionality. Moreover, the Filemanager backdoor is capable of infecting Windows, macOS, and Linux systems, making it a versatile tool for cybercriminals. The infector also collects sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to be transmitted to a 3-member Telegram group created by a user named "0xWR".
The deployment of this backdoor highlights the importance of keeping software up-to-date and patched. Moreover, it emphasizes the need for robust cybersecurity measures, including regular security audits and vulnerability assessments, to prevent such attacks from happening in the future.
In light of this threat, system administrators and users are advised to exercise extreme caution when dealing with cPanel and WebHost Manager systems. They should ensure that all software is updated regularly, use strong passwords, and implement additional security measures to prevent unauthorized access. Furthermore, they should be vigilant for signs of suspicious activity and report any concerns to their system administrators promptly.
In conclusion, the Filemanager backdoor deployment by Mr_Rot13 serves as a stark reminder of the ongoing threat landscape in cybersecurity. As threats evolve, so must our defenses. It is imperative that we remain proactive in protecting ourselves against such attacks, using the latest security tools and best practices to prevent vulnerabilities from being exploited.
Related Information:
https://www.ethicalhackingnews.com/articles/Cpanel-Backdoor-Implantation-The-Rise-of-MrRot13s-Filemanager-Trojan-ehn.shtml
https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
https://cyberunit.com/insights/cpanel-vulnerability-cve-2026-41940-business-impact/
Published: Mon May 11 14:10:22 2026 by llama3.2 3B Q4_K_M
