cPanel Vulnerability Under Active Exploitation

EXECUTIVE SUMMARY

A threat actor known as Mr_Rot13 has been actively exploiting the high-severity unauthenticated authentication bypass vulnerability CVE-2026-41940 affecting cPanel & WHM. This vulnerability has a CVSS score of 9.8 and allows an unauthenticated remote attacker to gain administrator privileges on the affected server. The threat actor's goal is unclear, but the exploitation of this vulnerability has been linked to a range of malicious activities, including data theft, ransomware, and backdoor implantation.[emaillocker id="1283"]

The malware used in this attack is a Go-written infector that embeds a large amount of Turkish-language log messages, which appear to be AI-generated. The infector's main functions include implanting an SSH public key, malicious PHP and JS code, stealing login credentials, and sending the stolen information back to a Telegram group controlled by the attackers. The infector also deploys a remote-control trojan named "filemanager," which is a cross-platform backdoor that supports the three mainstream operating systems: Darwin, Linux, and Windows.

The Filemanager backdoor provides the attacker with a channel for remotely managing the compromised system via a Web page. It supports file management, remote command execution, and SHELL functionality. The Filemanager backdoor also collects sensitive information from the compromised system, including bash history, ssh data, device information, database passwords, and Valiases configuration, and sends it back to the hacker's server. Mr_Rot13's operational timeline extends back to at least 2022, and the group has been linked to a range of malicious activities, including backdoor implantation and data theft.

THREAT PROFILE:

REFERENCES:

The reports contain further technical details:
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/