cPanel Auth Bypass Under Mass Attack: 2,000 IPs Exploiting CVE-2026-41940

The threat actor Mr_Rot13 is weaponizing CVE-2026-41940 to deploy backdoors and steal credentials from cPanel/WHM instances. Security researchers have identifi…

On May 12, 2026, QiAnXin XLab published details regarding an active campaign exploiting the CVE-2026-41940 authentication bypass in cPanel/WHM to distribute backdoors and harvest credentials. The threat actor group Mr_Rot13, which has maintained a near-zero detection rate since 2020, has mobilized over 2,000 attacking IPs in an automated operation that threatens hosting providers and private servers. The vulnerability, carrying a CVSS score near 9.3 and added to CISA’s KEV catalog with a due date of May 3, 2026, allows unauthorized administrative access without credentials.

Key Takeaways

CVE-2026-41940 is an authentication bypass (CWE-306) in the cPanel/WHM login flow that grants remote unauthorized access with administrative privileges.
Post-exploitation activities include installing persistent SSH keys, a PHP webshell, a JavaScript credential harvester on the login page, and the cross-platform "Filemanager" backdoor.
Stolen data is exfiltrated to an actor-controlled Telegram group and the C2 server wrned.com, a domain active since October 2020.
Monitoring data from XLab indicates that over 2,000 attacking IPs across Germany, the United States, Brazil, and the Netherlands are automatically exploiting the flaw.

Understanding the Login Flow Bypass (CVE-2026-41940)

The National Vulnerability Database confirms that CVE-2026-41940 involves an authentication bypass vulnerability in the cPanel/WHM login flow, classified under CWE-306. The NVD explicitly describes the ability of a remote, unauthenticated attacker to gain unauthorized access. The CVSS score assigned by CNA VulnCheck, with a base score of 3.1, is currently cited near 9.3 out of 10 in terms of overall severity.

CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on April 30, 2026, setting a remediation deadline of May 3, 2026, for U.S. federal agencies. With this deadline now passed, mitigation is mandatory for the American public sector and serves as a critical severity indicator for the global private sector.

Once access is achieved, the attacker operates with full administrative privileges. In shared hosting environments, a single compromised server can expose hundreds of websites to lateral movement, as administrative access allows the attacker to reach any virtual host managed by that cPanel instance.

The Attack Chain: From Go Infector to Filemanager Backdoor

After bypassing the login, the campaign deploys an infector written in Go, an internal project named "Payload." This component connects to actor-controlled domains, including cp.dene.de.com, to download the primary payload and configure a persistent SSH key. This technique ensures access remains intact even after web service restarts or administrative password rotations.

Subsequently, a PHP webshell is uploaded, providing a remote terminal that runs within the web server's context, bypassing standard authentication to execute arbitrary commands. Simultaneously, a JavaScript snippet is injected into the cPanel login page to capture credentials entered by legitimate administrators during future sessions.

The final stage involves the installation of the cross-platform "Filemanager" backdoor, downloaded from wpsock.com. This tool amplifies control over the compromised system by providing a graphical file system interface and remote management capabilities across different platforms. The exfiltrated data—including bash history, database passwords, virtual aliases, and login credentials—is sent to a Telegram group and the command-and-control (C2) server wrned.com.

The domain wrned.com was registered in October 2020, confirming over six years of infrastructure continuity. Researchers also observed that the Go-based code contains a significant number of Turkish-language log messages. According to the XLab report, as cited by Security Affairs:

"On May 4, while sorting through the malicious payloads delivered via the CVE-2026-41940 vulnerability, we discovered a new and distinctive infector. This infector is written in Go, with a project named Payload, and it embeds a large amount of Turkish-language log messages, which appear to be AI-generated." — QiAnXin XLab report, via Security Affairs

This assessment regarding AI generation has not been independently verified and remains a working hypothesis.

Mr_Rot13: A Stealth Operation Active Since 2020

The threat actor Mr_Rot13 has been identified by QiAnXin XLab researchers as the party responsible for this campaign. The group has operated with an extremely low detection rate throughout the 2020–2026 period. The strongest evidence of this longevity is the wrned.com domain, which has been active since late 2020.

Attribution is also supported by technical correlations between the observed tools and the group's historical infrastructure. For instance, a backdoor sample named helper.php uploaded to VirusTotal in April 2022 maintained a near-zero detection rate, reinforcing the theory of prolonged evasion.

"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability" — QiAnXin XLab researchers, via The Hacker News

Researchers further noted that "Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low," confirming that stealth is a core operational constant rather than an exception.

However, it remains unclear if Mr_Rot13 is the sole actor exploiting CVE-2026-41940. Sources indicate the possibility of independent campaigns with different objectives, such as cryptomining or botnet recruitment, which may be co-existing without yet being precisely attributed.

Mitigation and Response

For system administrators and hosting providers, the situation requires immediate and verifiable action.

Verify cPanel/WHM Patching: Ensure your instance is updated beyond the vulnerable version. The presence of this CVE in the CISA KEV catalog with a May 3, 2026, deadline makes this a maximum priority, particularly for critical infrastructure.
Audit Authorized SSH Keys: Analyze the authorized_keys files for all administrative users. Remove any keys that cannot be traced to known internal devices or operators, as the Go infector prioritizes this persistence method.
Scan for Webshells and Suspicious Files: Conduct thorough scans of web directories served by cPanel for anomalous PHP files and injected JavaScript code within login page templates, which indicate the presence of a credential harvester.
Monitor Traffic to wrned.com and Telegram: Configure firewalls and IDS systems to detect and block outbound connections to the known C2 domain and unauthorized Telegram endpoints to prevent active exfiltration.

The CVE-2026-41940 emergency is more than a software flaw; it illustrates how a group with stable infrastructure since 2020 can remain effective by pivoting their target from CMS platforms to server administration panels. The combination of SSH persistence, credential theft, and Telegram-based exfiltration represents a concrete threat to anyone managing multiple sites on a single instance. For administrators, the primary concern is not just whether to patch, but whether a silent compromise has already occurred.

Frequently Asked Questions

Could other threat actors be exploiting this same vulnerability?
Yes. Sources do not rule out the existence of independent campaigns—focused on cryptomining or botnets—operating alongside the known exploitation of CVE-2026-41940. Not all detected malicious activity can be definitively attributed to Mr_Rot13.

How can the Filemanager backdoor be distinguished from legitimate tools?
Technical distinction is based on the associated infrastructure: the backdoor contacts the wrned.com domain and is deployed via the Go infector chain. The presence of these indicators, alongside PHP webshells and login page JS injections, confirms a compromise.

Why does the Go code contain Turkish messages?
XLab researchers observed Turkish logs within the "Payload" project and hypothesized they were generated by an AI. This remains an unconfirmed hypothesis as it has not been independently verified.

Sources

Information verified against cited sources and current as of the time of publication.