Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
May 12, 2026 
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.
Cybercriminals are actively exploiting the critical cPanel vulnerability CVE-2026-41940 (CVSS score of 9.3) to deploy a backdoor called Filemanager on compromised servers.
cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.
Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.
According to the Shadowserver Foundation, thousands of instances may be exposed.
cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.
QiAnXin XLab researchers linked the attacks to a threat actor known as Mr_Rot13.
Since its public disclosure on April 28, researchers have observed widespread exploitation linked to cryptomining, ransomware, botnets, and backdoor deployments. More than 2,000 malicious IPs worldwide have reportedly targeted the flaw, with activity traced mainly to Germany, the U.S., Brazil, and the Netherlands.
The issue has already been tied to attacks against Southeast Asian government and military institutions, where hackers allegedly stole 4.37 GB of sensitive data.
Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.
“On May 4, while sorting through the malicious payloads delivered via the CVE-2026-41940 vulnerability, we discovered a new and distinctive infector. This infector is written in Go, with a project named “Payload,” and it embeds a large amount of Turkish-language log messages, which appear to be AI-generated.” reads the report published QiAnXin XLab. “Its main functions are: implanting an SSH public key, malicious PHP, and JS code into the compromised cPanel system, stealing login credentials, sending the stolen information back to a Telegram group controlled by the attackers, and ultimately deploying a remote-control trojan named “filemanager.””
Threat analysts linked the campaign to a suspected long-running group called Mr_Rot13, which appears to have operated covertly since at least 2020 using the same infrastructure and hidden command-and-control systems.
Researchers analyzed a malicious “Payload” infector used in attacks exploiting the critical cPanel flaw CVE-2026-41940. The malware downloads and runs a backdoor called Filemanager from attacker-controlled servers, then deletes traces of the installer.
“The malicious script delivered by Mr_rot13 via CVE-2026-41940 is shown below. Its function is to request a malicious payload named Update from the download server cp.dene.[de.com, and run it continuously in the background using the nohup command (typically used together with &).” continues the report.
Written in Go and likely generated with AI assistance, the malware changes root passwords, installs SSH keys, deploys PHP webshells, injects malicious JavaScript into cPanel login pages, steals credentials, and exfiltrates sensitive data.
The attackers also used Telegram bots as a backup channel to receive stolen information. Analysts linked the infrastructure to a long-running threat actor called Mr_Rot13, active since at least 2020. The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Researchers discovered a PHP backdoor named helper.php linked to the Mr_Rot13 threat group and uploaded to VirusTotal in 2022 with no antivirus detections. The malware hid malicious code inside a legitimate WordPress file using XOR string obfuscation and communicated with the domain wrned.com, extending the group’s activity timeline back several years.
The backdoor collected data such as URLs, IP addresses, parameters, and user-agent details, then sent them to a remote command-and-control server. Although researchers could not fully decrypt the final payload, the analysis confirmed that WordPress sites were likely a major target of the operation.
“Over the six years from 2020 to the present, the detection rate of Mr_Rot13’s related samples and infrastructure across security products has remained extremely low.” concludes the QiAnXin XLab’s report. “Given that this threat activity is still ongoing and that the cPanel vulnerability involved is highly critical, we have written this threat brief specifically to share our findings with the security community, in order to work together to safeguard cybersecurity.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, cPanel)
