Stealthy Hackers Exploit cPanel Flaw in Active Backdoor Campaign (CVE-2026-41940)

The discovery of CVE‑2026‑41940 underscores a critical weakness in the cPanel and WHM ecosystem, platforms that power a substantial share of the web‑hosting market. By allowing password‑less login, the flaw opens a direct path to root privileges, enabling attackers to alter system configurations, harvest credentials, and embed malicious code. This type of privilege escalation is especially dangerous because cPanel often serves as the administrative gateway for multiple client sites, meaning a single breach can cascade across dozens or hundreds of hosted domains.

XLab's attribution to the "Mr_Rot13" group adds a layer of strategic insight. The group's long‑standing use of the wrned.com domain and a zero‑detection PHP backdoor suggest a sophisticated, low‑profile operation that evades conventional security tools. Their tactics—changing root passwords, planting hidden SSH keys, and injecting credential‑stealing scripts into the login page—demonstrate a comprehensive approach to persistence and data exfiltration. The deployment of the Filemanager trojan further extends their reach, providing a cross‑platform remote‑control capability that can be leveraged for ransomware, botnet recruitment, or espionage.

For enterprises and hosting providers, the immediate priority is patching vulnerable cPanel versions and deploying the detection scripts released by cPanel. However, the broader lesson is the necessity of continuous monitoring for anomalous login activity and outbound traffic to known C2 domains. Threat intelligence sharing, such as XLab's indicators of compromise, becomes vital in a landscape where attackers can weaponize a single flaw to compromise thousands of servers globally. Proactive defense, rapid patch cycles, and robust credential hygiene are essential to mitigate the fallout from this emerging threat.