CVE-2026-41940 in cPanel: Threat Actor Mr_Rot13 Exploits Critical Auth Bypass to Deploy Filemanager Backdoor on Linux Servers

The Hacker News confirmed today, 13 May 2026, that threat actor Mr_Rot13 is actively exploiting CVE-2026-41940 — a critical authentication bypass in cPanel and WebHost Manager (WHM) with a CVSS score of 9.8 — to deploy the Filemanager backdoor on compromised Linux servers. The vulnerability allows unauthenticated remote attackers to completely bypass the hosting panel’s authentication process and obtain elevated control over the server. In Spain, cPanel is the most widely deployed hosting management panel among major providers (Raiola Networks, Dinahosting, Webempresa, among many others), with tens of thousands of corporate and SME websites directly exposed. The action window is hours.

‍

What is CVE-2026-41940 and what is happening right now?

Facts confirmed by The Hacker News and Hispasec:

• Vulnerability: authentication bypass in cPanel and WebHost Manager (WHM), the most widely used hosting management software in the world. It allows an unauthenticated remote attacker to completely bypass the panel’s login process and obtain elevated server control.
• CVSS 9.8 (Critical): the maximum practical score. No credentials required, no user interaction, remotely exploitable and automatable.
• Active threat actor: Mr_Rot13, a recently identified threat actor, is actively exploiting the vulnerability to install the Filemanager backdoor on compromised servers.
• Filemanager backdoor: a persistent implant that gives the attacker continuous server access, the ability to execute commands, upload and download files, and maintain presence even if cPanel is patched later if the backdoor is not removed.
• Patch available: cPanel has released an update fixing the vulnerability. The problem is that millions of installations depend on the hosting provider applying the update, not the end user, creating a wide and variable exposure window.
• Vulnerability history: CVE-2026-41940 was identified weeks ago. Active exploitation with an identified actor and named backdoor confirms this is no longer a theoretical threat — it is an active attack right now.

‍

Why cPanel is the most valuable target for attackers

cPanel and WHM are the de facto standard of the shared hosting industry. A successful attack on a cPanel installation does not mean compromising one website: it means potentially compromising all sites hosted on that server. Four reasons explain the offensive interest:

1. Access to thousands of sites from a single point. A shared hosting server typically hosts between dozens and hundreds of distinct domains. Compromising cPanel gives the attacker control over all sites, databases and email accounts on that server in one blow.
2. Email infrastructure as a high-value asset. cPanel manages mail servers. Access to the corporate email infrastructure of hundreds of clients enables targeted phishing, email interception and credential theft at scale.
3. Databases directly accessible. Most cPanel installations have phpMyAdmin or direct MySQL access. With panel control, the attacker accesses all databases on the server: online shops, CRMs, customer data, contact forms.
4. Hosting providers as supply chain vectors. Compromising a hosting provider’s server gives simultaneous access to all their clients. A single entry point, thousands of potential victims.

‍

How the attack works: from bypass to Filemanager backdoor

The CVE-2026-41940 exploitation chain documented by The Hacker News follows these steps:

1. Reconnaissance: the attacker identifies servers with cPanel/WHM exposed to the internet. Tools like Shodan index millions of installations accessible on ports 2082 (cPanel), 2083 (cPanel SSL), 2086 (WHM) and 2087 (WHM SSL). The scale of exposure is global.
2. Authentication bypass: Mr_Rot13 exploits CVE-2026-41940 to completely bypass the cPanel/WHM login process without needing valid credentials. The exact mechanism has not been publicly disclosed in detail to limit exploit reuse.
3. Elevated panel access: once inside the panel with privileges, the attacker has access to all server administration features: file managers, SSH access, cron jobs, databases, mail configuration and server logs.
4. Filemanager backdoor deployment: Mr_Rot13 uses cPanel’s file manager access to upload and install Filemanager, a persistent backdoor that survives server reboots and allows continuous access even if the vulnerability is patched later but the implant is not detected and removed.
5. Post-exploitation: with persistent access established, the attacker can exfiltrate databases, inject malicious code into hosted sites (web skimming, malicious redirects, end-user malware), steal email credentials, or sell access to other actors.

‍

Affected versions and available patches

The vulnerability affects cPanel and WHM versions prior to the corrected release. Recommended actions differ by role:

If you are a sysadmin or manage your own cPanel server:

• Update cPanel/WHM to the latest stable version from the update panel (WHM → cPanel Store → Update) or via command line: /scripts/upcp --force
• Verify the installed version at WHM → Server Information. Any version prior to the release fixing CVE-2026-41940 is at risk.
• Check whether Auto Updates is enabled (WHM → Update Preferences). If not, enable it so future patches are applied automatically.

If you are a hosting client with cPanel (no WHM access):

• Contact your hosting provider to confirm they have applied the CVE-2026-41940 patch.
• Major Spanish providers (Raiola, Dinahosting, Webempresa, IONOS, 1&1): check their security communications or open a support ticket asking explicitly about the update.

‍

Key lessons, IoCs and checklist for sysadmins, hosting providers and SOC

IoCs and compromise indicators to check right now:

• Unusual files in public server directories with names related to “filemanager”, “fm.php”, “upload.php” or recently created PHP files in root directories of hosted domains.
• New entries in server cron jobs (WHM → Cron Jobs or /etc/cron*) not configured by the administrator.
• Access log entries in WHM/cPanel from unknown IPs, especially on ports 2082, 2083, 2086 and 2087, at unusual times.
• Changes to .htaccess files in hosted sites (unauthorised redirects, unusual rewrite rules).
• New cPanel users created without administrator authorisation.
• Unusual outbound traffic from the server to unrecognised IPs or domains (post-compromise data exfiltration).

Action checklist for sysadmins and hosting providers:

• Patch now: run /scripts/upcp --force if the CVE-2026-41940 patch has not yet been applied. This is the most urgent action.
• Actively hunt for the Filemanager backdoor: review all public server directories for suspicious PHP webshells or recently created files. Tools like ClamAV, Maldet (Linux Malware Detect) or cPanel’s own Virus Scanner can help.
• Review all server cron jobs: any entry not known to the administrator should be investigated before removal (preserve forensic evidence).
• Rotate all server credentials: root passwords, cPanel passwords, MySQL/MariaDB, SSH keys and API keys for external integrations. If the backdoor was active before detection, all credentials should be treated as potentially compromised.
• Review access logs for the past 30 days: /var/log/cpanel/login_log and Apache/Nginx logs to detect unauthorised access to hosted sites.
• Notify affected clients: if the hosting provider detects compromise, clients whose sites or data may have been accessed must be notified without delay, particularly where GDPR obligations exist.
• Do not assume patching removes the backdoor: if the server was compromised before the patch, the Filemanager backdoor may still be active after the update. Patching and actively hunting the implant are separate steps — both are mandatory.

‍

Cybersecurity as a strategic priority

CVE-2026-41940 in cPanel is a reminder of something the hosting industry has yet to fully internalise: shared hosting infrastructure is one of the highest-multiplier attack vectors available. Compromising a hosting server does not mean compromising one website. It means potentially compromising the entire client portfolio of that server.

For businesses whose website and corporate email live on shared cPanel hosting, the message is direct: the security of your digital presence does not depend only on what you do, but on what your hosting provider does. Knowing whether your provider has applied the CVE-2026-41940 patch is not an optional technical question. It is a risk management question you must be able to answer today.

‍

Apolo Cybersecurity: protecting web infrastructure and hosting servers

At Apolo Cybersecurity we help businesses, digital agencies and hosting providers assess their exposure to critical vulnerabilities like CVE-2026-41940 and respond to active server compromises. We work on web server and hosting panel auditing, webshell and backdoor detection and removal, cPanel/WHM hardening, continuous file integrity monitoring, and incident response plans for hosting providers with GDPR obligations.

If your company or your clients use cPanel hosting and you have no confirmation that the CVE-2026-41940 patch has been applied, now is the time to verify it. The Filemanager backdoor does not wait.

‍