A critical security flaw in cPanel, identified as CVE-2026-41940, is actively being exploited by cybercriminals to introduce a backdoor known as Filemanager. This vulnerability, which affects cPanel and WebHost Manager (WHM), allows unauthorized access, enabling attackers to manipulate the control panel with elevated privileges.
Exploitation Details and Impact
According to QiAnXin XLab, the vulnerability has attracted numerous attackers following its recent disclosure. The exploit leads to significant security breaches, including cryptocurrency mining, ransomware deployment, and the spread of botnets. Researchers have identified over 2,000 source IP addresses globally involved in automated attacks, with major activities traced back to regions such as Germany, the United States, Brazil, and the Netherlands.
Technical Analysis of the Attack
The exploit involves downloading a Go-based infector using shell scripts via wget or curl from a server (“cp.dene.[de[.]com”). This infector installs an SSH public key for persistent access and deploys a PHP web shell to facilitate file operations and execute remote commands. The injected web shell also serves a fake login page to capture credentials, which are then transmitted using ROT13 encryption to an attacker-controlled server (“wrned[.]com”).
Further, the malware collects sensitive information such as bash history, SSH keys, and database credentials, transmitting them to a Telegram group managed by an entity named “0xWR.” The backdoor, delivered via “wpsock[.]com,” supports remote command execution and file management across various operating systems, including Windows, macOS, and Linux.
Long-Term Threat and Historical Context
The threat actor, identified as Mr_Rot13, appears to have been operating covertly for a substantial period. Evidence suggests that domains linked to the attack were registered as early as October 2020, with related malicious software detected on platforms like VirusTotal since April 2022. Despite the extensive duration of activity, security systems have shown low detection rates for the related infrastructure.
This continued exploitation underscores the importance for organizations to apply patches promptly and enhance their security measures. As cyber threats evolve, staying informed about vulnerabilities like CVE-2026-41940 is critical to safeguarding digital assets.
