Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
EY Data Breach: Attackers Access IT Support, Download Documents
July 17, 2026
Ransomware Attack Halts Fairlife Production Across US
July 17, 2026
PentestCode AI Agent Automates Pen Testing with 18 Specialized Tools
July 17, 2026
Home/CyberSecurity News/Critical CVE-2026-41940 lets attackers take over cPanel & WHM servers
CyberSecurity News

Critical CVE-2026-41940 lets attackers take over cPanel & WHM servers

Key Takeaways A critical authentication bypass vulnerability, CVE-2026-41940, is under active exploitation. The flaw impacts cPanel and WebHost Manager (WHM) servers globally. Unauthenticated remote...

Jennifer sherman
Jennifer sherman
May 12, 2026 4 Min Read
50 0

Key Takeaways

  • A critical authentication bypass vulnerability, CVE-2026-41940, is under active exploitation.
  • The flaw impacts cPanel and WebHost Manager (WHM) servers globally.
  • Unauthenticated remote attackers can gain full administrator control without credentials.
  • The vulnerability carries a maximum CVSS severity score of 9.8.
  • A sophisticated hacking collective, “Mr_Rot13,” is leveraging this zero-day to deploy ransomware, cryptominers, and backdoors.

A severe authentication bypass vulnerability, identified as CVE-2026-41940, is currently being actively exploited, posing a significant threat to cPanel and WebHost Manager (WHM) servers worldwide. This critical flaw, rated with a maximum severity score of 9.8 on the CVSS scale, effectively grants cybercriminals unfettered access to affected systems.

Table Of Content

  • Key Takeaways
  • CVE-2026-41940 Hijacks cPanel Servers
  • Infection Chain and Malware Deployment
  • Indicators of Compromise (IOCs)
  • What You Should Do

The vulnerability allows unauthenticated remote attackers to circumvent security measures entirely, obtaining absolute administrator control over servers without requiring any username or password. Threat actors are aggressively weaponizing this zero-day exploit, deploying ransomware, cryptominers, and persistent backdoors across vulnerable Linux environments.

Since its public disclosure in late April 2026, threat intelligence platforms have documented a substantial increase in automated attacks targeting this specific vulnerability. DailyDarkWeb reports that over 2,000 unique IP addresses globally, primarily originating from the United States, Germany, Brazil, and the Netherlands, are actively scanning for and exploiting this flaw. Further underscoring the gravity of the threat, security researchers at Ctrl-Alt-Intel disclosed on May 2 that hackers successfully leveraged this vulnerability to breach government and military networks in Southeast Asia, exfiltrating approximately 4.37 GB of sensitive archived data spanning from 2020 to 2024.

CVE-2026-41940 Hijacks cPanel Servers

Security analysts from XLab have linked a highly sophisticated and ongoing campaign to a clandestine hacking collective they refer to as “Mr_Rot13.” This group, which has been operating discreetly since at least 2020, has a documented history of deploying malicious PHP backdoors designed to evade detection by leading antivirus scanning platforms.

JavaScript code is injected (Source: Xlab)
JavaScript code is injected (Source: Xlab)

The moniker “Mr_Rot13” stems from the group’s frequent use of the Rot13 algorithm to obfuscate its command-and-control (C2) infrastructure within injected JavaScript payloads. Recent investigations indicate that Mr_Rot13 operates as a highly organized entity, rather than an opportunistic group of script-kiddies. They rely on custom, well-maintained malware and demonstrate a dynamic response to security researchers probing their infrastructure, often rotating Telegram bot tokens and upgrading malware payloads to evade active detection and analysis.

Infection Chain and Malware Deployment

The infection process initiates when attackers exploit CVE-2026-41940 to bypass authentication, immediately gaining administrator privileges on the target server. Without supplying any credentials, the threat actors then deploy a Go-based injector tool dubbed “Payload.” Researchers from XLab observe that the tool’s code structure and logging style suggest it may have been generated using artificial intelligence.

Remotely manage compromised systems via a web page (Source: Xlab)
Remotely manage compromised systems via a web page (Source: Xlab)

Upon execution, the injector promptly modifies the server’s root password and implants malicious SSH public keys to establish persistent backdoor access. Subsequently, the malware drops a custom PHP webshell known as “Cpanel-Python” and injects malicious JavaScript into the server’s custom login pages. This injected script actively harvests user credentials, User-Agent strings, and URLs, transmitting the stolen data to a remote C2 server via an AJAX request.

As a final step, the attackers deploy “Filemanager,” a robust cross-platform remote control Trojan. This Trojan supports Linux, Windows, and Darwin operating systems, enabling attackers to access a web-based console for executing remote commands and managing files. Stolen server configurations and database credentials are then exfiltrated through dual channels, sending information back to both the group’s web domains and a dedicated Telegram bot.

Indicators of Compromise (IOCs)

Domains:

  • cp.dene.de[.]com
  • wrned[.]com
  • wpsock[.]com

MD5 Hashes:

  • fb1bc3f935fdeb3555465070ba2db33c
  • 9305b4ebbb4d39907cf36b62989a6af3
  • 2286f126ab4740ccf2595ad1fa0c615c

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Immediately patch all cPanel & WHM servers to the latest available version to address CVE-2026-41940.
  • Implement multi-factor authentication (MFA) for all administrative accounts.
  • Regularly audit server logs for unusual activity, especially failed login attempts and unauthorized file modifications.
  • Scan your servers for the presence of the listed Indicators of Compromise (IOCs).
  • Consider isolating cPanel management interfaces behind a VPN or restricted IP access.
  • Review and strengthen password policies for all server accounts.
  • Perform regular backups of critical data and store them securely offline.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

BreachCVEExploitHackerMalwareransomwareSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Supply Chain Attack on TanStack NPM Packages Exposes CI Credentials

Next Post

BitLocker Downgrade Attack on Windows 11 Exposes Encrypted Disks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Top 10 Identity Threat Detection and Response (ITDR) Solutions for 2026
July 17, 2026
GPT-5.6 Codex Bug Deletes Files From Home Directories
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us