Critical CVE-2026-41940 lets attackers take over cPanel & WHM servers
Key Takeaways A critical authentication bypass vulnerability, CVE-2026-41940, is under active exploitation. The flaw impacts cPanel and WebHost Manager (WHM) servers globally. Unauthenticated remote...
Key Takeaways
- A critical authentication bypass vulnerability, CVE-2026-41940, is under active exploitation.
- The flaw impacts cPanel and WebHost Manager (WHM) servers globally.
- Unauthenticated remote attackers can gain full administrator control without credentials.
- The vulnerability carries a maximum CVSS severity score of 9.8.
- A sophisticated hacking collective, “Mr_Rot13,” is leveraging this zero-day to deploy ransomware, cryptominers, and backdoors.
A severe authentication bypass vulnerability, identified as CVE-2026-41940, is currently being actively exploited, posing a significant threat to cPanel and WebHost Manager (WHM) servers worldwide. This critical flaw, rated with a maximum severity score of 9.8 on the CVSS scale, effectively grants cybercriminals unfettered access to affected systems.
Table Of Content
The vulnerability allows unauthenticated remote attackers to circumvent security measures entirely, obtaining absolute administrator control over servers without requiring any username or password. Threat actors are aggressively weaponizing this zero-day exploit, deploying ransomware, cryptominers, and persistent backdoors across vulnerable Linux environments.
Since its public disclosure in late April 2026, threat intelligence platforms have documented a substantial increase in automated attacks targeting this specific vulnerability. DailyDarkWeb reports that over 2,000 unique IP addresses globally, primarily originating from the United States, Germany, Brazil, and the Netherlands, are actively scanning for and exploiting this flaw. Further underscoring the gravity of the threat, security researchers at Ctrl-Alt-Intel disclosed on May 2 that hackers successfully leveraged this vulnerability to breach government and military networks in Southeast Asia, exfiltrating approximately 4.37 GB of sensitive archived data spanning from 2020 to 2024.
CVE-2026-41940 Hijacks cPanel Servers
Security analysts from XLab have linked a highly sophisticated and ongoing campaign to a clandestine hacking collective they refer to as “Mr_Rot13.” This group, which has been operating discreetly since at least 2020, has a documented history of deploying malicious PHP backdoors designed to evade detection by leading antivirus scanning platforms.

The moniker “Mr_Rot13” stems from the group’s frequent use of the Rot13 algorithm to obfuscate its command-and-control (C2) infrastructure within injected JavaScript payloads. Recent investigations indicate that Mr_Rot13 operates as a highly organized entity, rather than an opportunistic group of script-kiddies. They rely on custom, well-maintained malware and demonstrate a dynamic response to security researchers probing their infrastructure, often rotating Telegram bot tokens and upgrading malware payloads to evade active detection and analysis.
Infection Chain and Malware Deployment
The infection process initiates when attackers exploit CVE-2026-41940 to bypass authentication, immediately gaining administrator privileges on the target server. Without supplying any credentials, the threat actors then deploy a Go-based injector tool dubbed “Payload.” Researchers from XLab observe that the tool’s code structure and logging style suggest it may have been generated using artificial intelligence.

Upon execution, the injector promptly modifies the server’s root password and implants malicious SSH public keys to establish persistent backdoor access. Subsequently, the malware drops a custom PHP webshell known as “Cpanel-Python” and injects malicious JavaScript into the server’s custom login pages. This injected script actively harvests user credentials, User-Agent strings, and URLs, transmitting the stolen data to a remote C2 server via an AJAX request.
As a final step, the attackers deploy “Filemanager,” a robust cross-platform remote control Trojan. This Trojan supports Linux, Windows, and Darwin operating systems, enabling attackers to access a web-based console for executing remote commands and managing files. Stolen server configurations and database credentials are then exfiltrated through dual channels, sending information back to both the group’s web domains and a dedicated Telegram bot.
Indicators of Compromise (IOCs)
Domains:
cp.dene.de[.]comwrned[.]comwpsock[.]com
MD5 Hashes:
fb1bc3f935fdeb3555465070ba2db33c9305b4ebbb4d39907cf36b62989a6af32286f126ab4740ccf2595ad1fa0c615c
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Immediately patch all cPanel & WHM servers to the latest available version to address CVE-2026-41940.
- Implement multi-factor authentication (MFA) for all administrative accounts.
- Regularly audit server logs for unusual activity, especially failed login attempts and unauthorized file modifications.
- Scan your servers for the presence of the listed Indicators of Compromise (IOCs).
- Consider isolating cPanel management interfaces behind a VPN or restricted IP access.
- Review and strengthen password policies for all server accounts.
- Perform regular backups of critical data and store them securely offline.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.