CPanel and WHM Servers Targeted in Attacks Exploiting CVE-2026-41940

The recent wave of attacks against cPanel and WHM servers underscores the high stakes of server‑side vulnerabilities in the cloud‑hosting ecosystem. CVE‑2026‑41940, a critical authentication‑bypass bug, grants attackers unrestricted administrator privileges without any credentials. Its near‑perfect CVSS score of 9.8 reflects the ease with which threat actors can pivot from a compromised web‑hosting panel to full control of underlying Linux instances. For managed service providers, rapid patch deployment and rigorous version monitoring have become non‑negotiable to avoid becoming a launchpad for broader intrusions.

Mr_Rot13’s campaign is notable for its layered payload strategy. The group delivers a Go‑based infector that silently rewrites root passwords, plants SSH keys labeled "cpanel‑updater," and drops a Python webshell for redundancy. In addition, a bespoke "filemanager" Trojan provides a web‑based GUI, leveraging bcrypt hashing to evade simple traffic analysis. This multi‑stage approach not only ensures persistent access but also complicates detection, as each component mimics legitimate system processes. Security teams must therefore augment signature‑based defenses with behavioral analytics that flag anomalous file modifications and unexpected network listeners.

The broader implications extend beyond individual server compromises. Exfiltrated credentials are funneled through ROT13‑obfuscated domains or a dedicated Telegram channel, illustrating how threat actors blend classic obfuscation with modern communication platforms. Enterprises that rely on cPanel for client hosting face heightened risk of data leakage, regulatory penalties, and reputational damage. Proactive measures—such as enforcing two‑factor authentication for WHM, isolating privileged accounts, and conducting continuous threat‑intel monitoring—are essential to mitigate the long‑term espionage and ransomware potential posed by this sophisticated exploit chain.