INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
cPanel CVE-2026-41940 Exploits Filemanager Backdoor
| 2026-05-12 11:41 CRITICAL HIGHExecutive Summary AI-generated
The recent incident data reveals a critical vulnerability in cPanel, CVE-2026-41940, which has been exploited by cybercriminals to deploy malicious backdoors and gain unauthorized admin access. The flaw affects various software versions after 11.40, including WHM and WordPress. Researchers have identified the exploit as a payload infector used in attacks exploiting the vulnerability, with new malware discovered linked to the Mr_Rot13 threat group. Thousands of instances may be exposed due to known host activity, while thousands more are likely to remain undetected until defenders can identify vulnerable hosts using our Detection Artifact Generator tool.
Technical Mitigations AI-generated
* Implement a secure login mechanism: Ensure that all users have strong, unique passwords and consider implementing multi-factor authentication (MFA) to prevent unauthorized access.
* Regularly update and patch cPanel software: Keep the latest version of cPanel installed on servers to ensure you have the most up-to-date security patches and fixes for known vulnerabilities like CVE-2026-41940.
* Use a web application firewall (WAF): Consider installing a WAF, such as ModSecurity or Cloudflare, to help detect and prevent attacks before they reach your server.
* Monitor system logs and network traffic: Regularly review system logs and network traffic for suspicious activity that may indicate an attack on the cPanel service.
* Use secure communication protocols (e.g., HTTPS): Ensure all communications between clients and servers are encrypted using a secure protocol like HTTPS to prevent eavesdropping or tampering.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-41940CVE-2026-41940
Target & Sectors
DACH
DACH
BENELUX
BENELUX
Incident Timeline
October 2020
Threat actors exploited CVE-2026-41940 in cPanel to deploy a Filemanager Backdoor on the compromised domain.
April 2022
Threat actors exploited a previously unknown vulnerability (CVE-2026-41940) in cPanel, which was subsequently used to deploy a PHP-based backdoor in the helper.php file uploaded to VirusTotal.
Click on any entity below to view its context and source!
observable
helper.php
This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor ("
helper.php
") that was uploaded to the VirusTotal platform in April 2022.
organisation
VirusTotal
This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor ("
helper.php
") that was uploaded to the VirusTotal platform in April 2022.
tactic
T1059.007 - JavaScript
This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor ("
helper.php
") that was uploaded to the VirusTotal platform in April 2022.
2026/04/11
Threat actors exploited cPanel CVE-2026-41940 to deploy a Filemanager Backdoor.
Click on any entity below to view its context and source!
tactic
Ransomware
According to a
new report
from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.
tactic
Botnet
According to a
new report
from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.
April 28
Threat actors exploited cPanel CVE-2026-41940 to deploy a Filemanager backdoor.
Click on any entity below to view its context and source!
tactic
Ransomware
Since its public disclosure on April 28, researchers have observed widespread exploitation linked to cryptomining, ransomware, botnets, and backdoor deployments.
May 4
Threat actors exploited CVE-2026-41940 in cPanel to deploy a Filemanager Backdoor.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-41940
“On May 4, while sorting through the malicious payloads delivered via the CVE-2026-41940 vulnerability, we discovered a new and distinctive infector.
May 11, 2026
Threat actors used cPanel CVE-2026-41940 to deploy a Filemanager backdoor on compromised environments.
Click on any entity below to view its context and source!
tactic
Ransomware
Ravie Lakshmanan
May 11, 2026
Vulnerability / Ransomware
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed
Filemanager
on compromised environments.
organisation
cPanel
Ravie Lakshmanan
May 11, 2026
Vulnerability / Ransomware
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed
Filemanager
on compromised environments.
organisation
Filemanager
Ravie Lakshmanan
May 11, 2026
Vulnerability / Ransomware
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed
Filemanager
on compromised environments.
organisation
Vulnerability / Ransomware
Ravie Lakshmanan
May 11, 2026
Vulnerability / Ransomware
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed
Filemanager
on compromised environments.
2026/05/12
Attackers exploit cPanel flaw CVE-2026-41940 to deploy Filemanager Backdoor.
Click on any entity below to view its context and source!
organisation
IPs
More than 2,000 malicious IPs worldwide have reportedly targeted the flaw, with activity traced mainly to Germany, the U.S., Brazil, and the Netherlands.
"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said.
infrastructure
2,000 malicious IPs
More than 2,000 malicious IPs worldwide have reportedly targeted the flaw, with activity traced mainly to Germany, the U.S., Brazil, and the Netherlands.
organisation
cPanel CVE-2026-41940
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor.
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor.
organisation
Filemanager Backdoor
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor.
organisation
cPanel
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.
organisation
CVE-2026
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.
organisation
Filemanager
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.
infrastructure
11.40
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
organisation
WHM
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
The attack exploits
CVE-2026-41940
, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.
organisation
WebHost
The attack exploits
CVE-2026-41940
, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.
organisation
SSH
"
Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server ("cp.dene.[de[.]com") that's designed to implant a compromised cPanel system with an SSH public key for persistent access, along with dropping a PHP web shell that facilitates file upload/download and remote command execution.
Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.
organisation
PHP
"
Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server ("cp.dene.[de[.]com") that's designed to implant a compromised cPanel system with an SSH public key for persistent access, along with dropping a PHP web shell that facilitates file upload/download and remote command execution.
Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.
infrastructure
Linux
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
infrastructure
Windows
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
infrastructure
Macos
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
organisation
VirusTotal
Researchers discovered a PHP backdoor named helper.php linked to the Mr_Rot13 threat group and uploaded to VirusTotal in 2022 with no antivirus detections.
organisation
WordPress
The malware hid malicious code inside a legitimate WordPress file using XOR string obfuscation and communicated with the domain wrned.com, extending the group’s activity timeline back several years.
organisation
XOR
The malware hid malicious code inside a legitimate WordPress file using XOR string obfuscation and communicated with the domain wrned.com, extending the group’s activity timeline back several years.
organisation
KnownHost
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.”
organisation
the Shadowserver Foundation
According to the Shadowserver Foundation, thousands of instances may be exposed.
organisation
Telegram
“Its main functions are: implanting an SSH public key, malicious PHP, and JS code into the compromised cPanel system, stealing login credentials, sending the stolen information back to a Telegram group controlled by the attackers, and ultimately deploying a remote-control trojan named “filemanager.””
Threat analysts linked the campaign to a suspected long-running group called Mr_Rot13, which appears to have operated covertly since at least 2020 using the same infrastructure and hidden command-and-control systems.
The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named "0xWR."
data_breach
3 member
The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named "0xWR."
organisation
IP
The backdoor collected data such as URLs, IP addresses, parameters, and user-agent details, then sent them to a remote command-and-control server.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, cPanel)
data_breach
4.37 GB
The issue has already been tied to attacks against Southeast Asian government and military institutions, where hackers allegedly stole 4.37 GB of sensitive data.
Tactical Metrics
Metrics
infrastructure
2,000
Malicious Ips
Click for context!
More than 2,000 malicious IPs worldwide have reportedly targeted the flaw, with activity traced mainly to Germany, the U.S., Brazil, and the Netherlands.
Metrics
infrastructure
11.40
Software Version
“Therefore, we’re releasing our
Detection Artifact Generator
to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40.
Metrics
infrastructure
Linux
Affected Product
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
Metrics
infrastructure
Windows
Affected Product
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
Metrics
infrastructure
Macos
Affected Product
The malware supports Linux, Windows, and macOS systems and appears designed for persistent remote access and credential theft.
Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems.
Metrics
data_breach
4
Gb
The issue has already been tied to attacks against Southeast Asian government and military institutions, where hackers allegedly stole 4.37 GB of sensitive data.
Metrics
data_breach
3
Member
The infector is also equipped to collect sensitive information from the compromised host, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (aka valiases), to a 3-member Telegram group created by a user named "0xWR."
Intelligence Sources
The Hacker News
2026-05-11
Security Affairs
2026-05-12
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-13T06:03
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
organisation
Identified Entity
IPs
entity
8x
timeline
Temporal Reference
April 28
date
4x
source region
Origin Country
Germany
country
3x
target region
Target Country
Germany
country
3x
infrastructure
Affected Product
Linux
software
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
tactic
MITRE ATT&CK Technique
T1588.005 - Exploits
technique
Contextual Telemetry
Context Block
7 METRICS
infrastructure
Malicious Ips
2,000
malicious ips
vulnerability
Exploited CVE
CVE-2026-41940
cve
vulnerability
CVSS Score
9
score
infrastructure
Software Version
11.40
version
data breach
Gb
4
gb
general metric
Attacker
2,000
attacker
data breach
Member
3
member
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.