Critical cPanel Flaw Actively Exploited to Inject Persistent Backdoor – Urgent Patch Required
A newly disclosed critical vulnerability in cPanel and WebHost Manager (WHM) is under active exploitation by a threat actor tracked as Mr_Rot13, who is using it to deploy a persistent backdoor called Filemanager on compromised servers.
The attack exploits CVE-2026-41940, an authentication bypass flaw that gives remote attackers elevated control over the control panel. This allows the attacker to upload and execute arbitrary code, ultimately installing the Filemanager backdoor for long-term access.
According to cybersecurity researchers tracking the campaign, the vulnerability is being weaponized in the wild at scale. “We have observed multiple incidents where unpatched cPanel installations were compromised within hours of public disclosure,” said a senior analyst at a leading threat intelligence firm.
Background
cPanel is a popular web hosting control panel used by millions of websites globally. WHM is its server management interface. The vulnerability CVE-2026-41940 was publicly disclosed in early March 2026 with a critical severity score of 9.8 out of 10.
The flaw resides in the authentication mechanism, allowing remote attackers to bypass login checks without valid credentials. Upon exploitation, the attacker gains administrative rights to the cPanel/WHM interface.
cPanel issued a security update shortly after disclosure, but many hosts have yet to apply the patch. “This is a classic case where the window between disclosure and exploitation is shrinking,” noted a threat researcher from a cybersecurity nonprofit.
What This Means
For web hosting providers and site owners using cPanel, the immediate risk is full compromise of the hosting environment. The Filemanager backdoor provides the attacker with persistent remote access, enabling data theft, malware injection, and further lateral movement.
“This is not a theoretical risk. We are seeing real-world deployments of a backdoor that can survive reboots and remain undetected for months,” warned the threat intelligence analyst.
Organizations that have not patched CVE-2026-41940 should treat this as a critical emergency. Immediate actions include:
- Apply the latest cPanel/WHM updates from the official vendor.
- Audit server logs for signs of unauthorized access or unusual file creation.
- Scan for the Filemanager backdoor using antivirus or endpoint detection tools.
- Reset all administrative passwords and review user accounts.
The attacker Mr_Rot13 has previously been linked to similar campaigns targeting web hosting panels. Their use of a custom backdoor suggests a sophisticated operation aimed at building a botnet or reselling access to compromised servers.
Quotes from Experts
“The speed at which this threat evolved from disclosure to active exploitation is alarming,” said a principal security engineer at a major cloud provider. “It underscores why patch management must be treated as a top priority, especially for internet-facing infrastructure.”
Another researcher commented, “The Filemanager backdoor is particularly dangerous because it blends in with legitimate cPanel files. Without proper monitoring, it can easily go unnoticed for extended periods.”
Actionable Steps
To verify if your cPanel installation is vulnerable, check the version running against the advisory published by cPanel. Versions prior to the March 2026 security release are affected.
If you suspect compromise, isolate the server immediately and engage an incident response team. Indicators of compromise include unexpected files in the /usr/local/cpanel directory and unusual network connections from the control panel’s user ID.
The cybersecurity community recommends enabling multi-factor authentication for cPanel access and implementing strict IP whitelisting where possible. These measures provide a second layer of defense even if the underlying vulnerability is exploited.
For ongoing updates, follow official cPanel security announcements and subscribe to threat feeds that cover web hosting software vulnerabilities.
Related Articles
- Senior Scattered Spider Hacker Pleads Guilty to Wire Fraud and Crypto Theft
- DarkSword: The Advanced iOS Exploit Chain Threatening Global Security
- Adversary Tactics Diverge as Dwell Time Hits 14 Days, Mandiant Report Warns
- How Two Cybersecurity Experts Ended Up in Prison for Aiding a Ransomware Gang
- Malicious Google Ads and Claude.ai Chat Links Deploy Mac Malware in Sophisticated Campaign
- Overcoming Sales Hurdles: How MSPs Can Capture More Cybersecurity Revenue
- Canvas LMS Disrupted: ShinyHunters Threatens Massive School Data Leak
- Beyond Endpoints: Key Data Sources for Holistic Threat Detection