CVE-2026-41940: Critical cPanel Vulnerability Exploited to Deploy 'Filemanager' Backdoor

The threat actor Mr_Rot13 is leveraging the CVE-2026-41940 authentication bypass in cPanel/WHM to distribute the cross-platform Filemanager backdoor, stealing…

The threat group Mr_Rot13 is actively exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel/WHM control panels. Ten days after CISA's May 3 remediation deadline, researchers report that more than 2,000 malicious IP addresses are involved in automated global exploitation. The attack chain deploys a Go-based infector that modifies administrative credentials, injects malicious scripts into login pages, and drops the cross-platform "Filemanager" backdoor to exfiltrate data to external infrastructure.

Key Takeaways

CVE-2026-41940 is an authentication bypass vulnerability with a CVSS score of up to 9.8; it was added to the CISA KEV catalog on April 30 with a compliance deadline of May 3.
The Go-based infector, internally named "Payload," modifies root passwords, installs unauthorized SSH keys, and injects malicious JavaScript into login templates to harvest credentials.
The Filemanager backdoor is cross-platform (Windows, macOS, Linux) and supports remote code execution (RCE), file management, and remote shell capabilities.
The command-and-control (C2) infrastructure utilizes the domain wrned.com, registered in October 2020 and linked to campaigns dating back to 2022.

The Attack Chain: From Auth Bypass to Credential Harvesting

CVE-2026-41940 is classified as "Missing Authentication for Critical Function" in the NVD database. While the CNA VulnCheck assigned it a CVSS score of 9.8, some editorial sources have reported it as 9.3. The flaw allows an attacker to bypass the cPanel/WHM authentication flow and gain administrative privileges without valid credentials. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 30, 2026. Now that the deadline has passed, researchers at QiAnXin XLab are observing a sustained escalation in activity.

Monitoring data from QiAnXin XLab, as reported by The Hacker News, indicates that over 2,000 unique attacker IPs are conducting automated exploits, primarily originating from Germany, the United States, Brazil, and the Netherlands. The unauthenticated initial access serves as the entry point for a sophisticated multi-stage compromise: once administrative control is achieved, actors upload a remote shell script to begin deep server penetration. The vector is not merely used for bypass but as a lever to modify the panel's core behavior.

"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability" - QiAnXin XLab via The Hacker News

The 'Payload' Go-Infector and Persistence Mechanisms

At the center of this campaign is an infector written in Go, internally designated as "Payload." According to QiAnXin XLab analysis cited by Security Affairs, the sample contains numerous Turkish-language log messages that researchers believe were likely generated by artificial intelligence tools, though this hypothesis has not been independently verified. Upon execution, the binary changes the root user's password, generates an SSH key labeled "cpanel-updater" for persistent remote access, and drops a PHP webshell to maintain a command channel even after potential reboots.

The most insidious component is the injection of JavaScript directly into the cPanel login page template. Every subsequent login attempt—including legitimate administrative access—is intercepted, and the credentials are transmitted to an attacker-controlled server before final exfiltration to Telegram. This mechanism transforms the compromised panel into a passive credential harvesting platform, meaning that simply patching the software is insufficient without a full rotation of all passwords and SSH keys.

Filemanager: Cross-Platform RCE and Data Theft

In parallel with the infector, the attack chain deploys the Filemanager backdoor, a cross-platform tool capable of operating on Windows, macOS, and Linux. Technical analyses from THN, Security Affairs, and CyberPress describe the malware as a comprehensive solution for remote file management, arbitrary command execution, and interactive shell access. Researchers at CyberPress have published MD5 hashes for samples associated with this family, providing indicators for administrators to scan for potentially infected hosting systems.

Sources indicate the operation has already resulted in significant data loss. Security Affairs and CyberPress report the theft of approximately 4.37 GB of sensitive data from government and military entities in Southeast Asia. It remains unclear whether these targets were hosted on dedicated instances or shared infrastructure compromised through hosting providers. This impact highlights how a single breached cPanel instance can serve as a bridge to high-value strategic institutional archives.

C2 Infrastructure and the History of Mr_Rot13

The attribution of this campaign to the Mr_Rot13 group is supported by QiAnXin XLab. Analysis of indicators of compromise (IoCs) identifies the domain wrned.com as a central element of the command-and-control infrastructure. This domain was registered in October 2020 and was previously observed in a PHP backdoor uploaded to VirusTotal in April 2022, which had an extremely low detection rate at the time. This link suggests operational continuity for the group that predates the disclosure of CVE-2026-41940 by several years.

According to The Hacker News via QiAnXin XLab, detection of Mr_Rot13's samples and infrastructure by security products has remained remarkably low over the past six years. This longevity and stealth indicate an adaptive capability and opportunistic target selection that allowed the group to remain below the global alarm threshold until the current cPanel escalation. The infrastructure's history reinforces the theory that Mr_Rot13 is not a fly-by-night actor but a resource-rich entity with long-term planning capabilities.

Mitigation and Response Guidelines

Administrators must immediately apply patches released by cPanel for CVE-2026-41940, noting that CISA’s May 3 deadline passed nearly two weeks ago.
Revoke all unauthorized SSH keys, paying specific attention to those named "cpanel-updater," and perform a complete reset of root credentials.
Inspect cPanel/WHM login templates for unauthorized JavaScript injections and force a password rotation for all users, as the malware captures legitimate login sessions.
Scan filesystems for the Filemanager backdoor's IoC hashes and monitor network traffic for connections to the wrned.com domain.

The stakes extend beyond the compromise of a single server. Once JavaScript is injected into the login page, the panel remains a passive source of credentials even after patching, unless a full sanitization is performed. For hosting providers and systems administrators, the Mr_Rot13 case serves as a technical reminder: the response to a critical authentication bypass cannot stop at a software update; it must encompass total key rotation and verification of authentication template integrity. Defense has shifted from fixing vulnerable code to restoring compromised trust.

Frequently Asked Questions

Why is applying the patch alone insufficient?

The patch fixes the authentication bypass but does not remove injected JavaScript, unauthorized SSH keys, or pre-existing webshells. If credentials were intercepted prior to patching, the attacker can regain access using those stolen details.

How can the 'Payload' Go-infector be distinguished from other Linux malware?

Researchers noted Turkish-language logs embedded in the binary and unauthorized modifications to the root password. Confirmation typically requires analyzing Filemanager backdoor hashes and searching for the "cpanel-updater" SSH key.

What is the role of the wrned.com domain in this attack?

The domain serves as the command-and-control infrastructure. It has been linked to Mr_Rot13 campaigns since at least 2022, confirming the group's operational history and providing a primary indicator for network monitoring.

Information verified against cited sources and current as of publication.