Stealthy hackers exploit cPanel flaw in active backdoor campaign (CVE-2026-41940)

Security researchers at XLab have outlined an active attack campaign targeting CVE-2026-41940, the recently disclosed vulnerability in cPanel & WHM, and have linked it to a stealthy hacking group that has been operating largely undetected for years.

The vulnerability allows an attacker to log into a cPanel server without a username or password, effectively handing them administrator control over the cPanel host system, its configurations and databases, and the websites it manages.

The attack campaign

Once attackers gain access to a vulnerable server, they deploy an “infector” that first changes the server’s root password and plants a hidden login key so attackers can return via SSH, then drops a PHP web shell into the cPanel system, allowing remote file browsing and command execution.

The attackers also tamper with the cPanel login page itself, injecting code that secretly harvests every username and password typed into it and sends them to an attacker-controlled server.

A cross-platform remote-control trojan dubbed “Filemanager” is then installed, giving attackers an ongoing window into the compromised machine and the ability to manage it remotely.

Database passwords, SSH keys, command history, and other data is exfiltrated both to the attackers’ own servers and to a private Telegram group.

The attackers

XLab’s attribution work points to a group they’ve dubbed “Mr_Rot13” based on the Telegram account handle used by the group’s apparent leader and the text-scrambling technique the group uses to hide the address of their command and control (C2) server.

The group’s C2 domain (wrned.com) has been in active use since at least 2020, the researchers found. This, and the fact that a PHP backdoor associated with that domain has been uploaded to VirusTotal in 2022 and still has zero detections, led them to the conclusion that this is “a stable hacking group capable of operating covertly for years while remaining undiscovered.”

XLab says the campaign is ongoing and shared indicators of compromise.

CVE-2026-41940 exploitation

Various threat actors have been exploiting CVE-2026-41940 to deploy ransomware, Mirai malware, and steal data.

XLab says more than 2,000 attacker-controlled IP addresses worldwide are currently running automated attacks against exposed servers, with traffic originating primarily from Germany, the United States, Brazil, and the Netherlands.

Yutaka Sejiyama, Deputy Director of Macnica’s Security Research Center, recently shared that 194 out of 1,692 publicly exposed cPanel/WHM servers in Japan have been hit with Sorry ransomware.

CPanel has been updating their security advisory with links to patches for various cPanel and WHM (Web Host Manager) versions and new versions of a detection script.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!