Active Exploitation of cPanel CVE-2026-41940 Deploys Filemanager Backdoor Across 2,000+ Attacker IPs Globally
- May 12
- 3 min read
Key Findings
Critical cPanel vulnerability CVE-2026-41940 (CVSS 9.3) is being actively exploited in the wild to deploy the Filemanager backdoor
Over 2,000 malicious IPs from Germany, US, Brazil, Netherlands and other regions are conducting automated attacks
Threat actor Mr_Rot13 has been linked to the campaign, with evidence of operations dating back to at least 2020
Exploitation has led to cryptomining, ransomware deployment, botnet propagation, and credential theft
Southeast Asian government and military institutions were targeted, with 4.37 GB of sensitive data allegedly stolen
Detection tools and patches are now available from cPanel and watchTowr
Background
CVE-2026-41940 is an authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM) versions after 11.40. A weakness in the login flow allows remote attackers to bypass authentication checks and gain unauthorized admin access to the control panel without valid credentials. This grants attackers the ability to manage hosting settings, access sensitive data, and take control of servers. watchTowr disclosed the flaw on April 28, 2026, and noted that exploitation began almost immediately.
Exploitation Timeline and Scale
In-the-wild exploitation of this vulnerability has been traced back to February 2026, months before the official disclosure. Since the public announcement in late April, the campaign has escalated dramatically. According to the Shadowserver Foundation, thousands of instances remain exposed. Namecheap imposed temporary access limits to mitigate risk for its customers. The geographic distribution of attacking infrastructure shows sophisticated coordination, with activity concentrated in Germany, the US, Brazil, and the Netherlands but spreading globally.
Technical Attack Chain
The exploitation flow begins with a shell script that uses wget or curl to download a Go-based infector from attacker-controlled servers. The infector, named "Payload" and written in Go with embedded Turkish-language log messages suggesting AI generation, performs multiple malicious functions. It installs SSH public keys for persistent access, deploys PHP webshells that facilitate file upload and download operations, and injects malicious JavaScript into cPanel login pages. The JavaScript captures login credentials and exfiltrates them to attacker infrastructure using ROT13 cipher encoding. Finally, the attack chain deploys Filemanager, a cross-platform backdoor supporting Windows, macOS, and Linux systems that enables remote command execution and file management.
The Filemanager Backdoor
Filemanager is a remote-access trojan that provides attackers with comprehensive control over compromised systems. The backdoor collects sensitive information including bash history, SSH data, device information, database passwords, and cPanel virtual aliases. This data is transmitted to a Telegram group controlled by attackers, using Telegram bots as a backup exfiltration channel. The malware supports file management, shell functionality, and remote command execution, making it a powerful persistence tool for attackers seeking long-term access.
Attribution to Mr_Rot13
Researchers linked the campaign to a suspected long-running threat actor called Mr_Rot13, which appears to have operated covertly since at least 2020. The attribution is based on shared infrastructure, command-and-control systems, and overlapping malware. Evidence shows the group has maintained extremely low detection rates across security products over six years of operation. A PHP backdoor called helper.php linked to Mr_Rot13 was uploaded to VirusTotal in April 2022 with nearly zero antivirus detections. The domain used in that backdoor was first registered in October 2020, extending the group's confirmed activity timeline back several years and suggesting a disciplined, professional operation.
Response and Defense
cPanel, watchTowr, and security researchers have released detection tools and artifacts to help organizations identify vulnerable hosts and signs of compromise. Patches are available for affected versions. Organizations are advised to immediately check their systems against these detection tools, apply available patches, and review logs for exploitation attempts. The presence of detection tools marks a significant collaborative effort between vendors and the security research community to contain the threat.
Sources
https://securityaffairs.com/192013/cyber-crime/attackers-exploit-cpanel-cve-2026-41940-to-deploy-filemanager-backdoor.html
https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
https://www.linkedin.com/posts/thehackernews_more-than-2000-attacker-ips-worldwide-activity-7459662514386104320-6suy
https://www.reddit.com/r/SecOpsDaily/comments/1tabb41/cpanel_cve202641940_under_active_exploitation_to/

Comments