Attackers are actively exploiting cPanel & WHM CVE-2026-41940, an unauthenticated authentication bypass flaw, to compromise hosting servers and deploy backdoors. XLab says it has observed large-scale abuse since the flaw was publicly disclosed on April 28, including mining, ransomware, botnet activity, backdoor implantation, and more than 2,000 attacker source IPs involved in automated attacks [1].
The most useful detail for hosting admins is the post-exploitation chain. XLab tied one cluster, tracked as Mr_Rot13, to a Go-based infector that implants an SSH public key, drops malicious PHP and JavaScript, steals login credentials, sends stolen data to a Telegram-controlled channel, and deploys a remote-control trojan named Filemanager [1]. That means a patched control panel can still be unsafe if the server was hit before the update and the attacker already planted access.
What Hosting Teams Should Verify
CVE-2026-41940 was separately analyzed by watchTowr as a cPanel & WHM authentication bypass issue, while cPanel published its security update on April 28 [2][3]. For small hosting providers and site owners using managed servers, the practical question is not only “is WHM patched now?” but “was the server exposed while vulnerable?” Public cPanel and WHM services on ports such as 2082, 2083, 2086, 2087, 2095, and 2096 deserve priority review if they were internet-facing during the disclosure window.
The first response step is version confirmation and update verification. After that, look for new SSH authorized keys, unfamiliar PHP files under account web roots, recently changed JavaScript injected into hosted sites, suspicious binaries using hosting-friendly names such as Filemanager, and outbound traffic to unknown Telegram or downloader infrastructure. Credential resets should come after file and persistence review, not before it, because a live backdoor can simply collect the replacement credentials.
This is also why the new exploitation is distinct from the earlier cPanel WHM patch roundup. That post was about fixing disclosed bugs. This case is about active abuse and cleanup logic. If logs show suspicious WHM activity, unexpected account changes, or modified hosted content, treat the server as a potentially compromised Linux host: preserve evidence, audit all hosted accounts, rotate reseller/root credentials after cleanup, and consider rebuilding high-value servers when root-level tampering cannot be excluded.
References
- XLab: “Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment,” May 11, 2026. Report
- watchTowr Labs: “cPanel & WHM Authentication Bypass CVE-2026-41940,” April 29, 2026. Analysis
- cPanel: “Security CVE-2026-41940 cPanel & WHM WP2 Security Update,” April 28, 2026. Advisory
Related: The Cisco Catalyst SD-WAN CVE-2026-20182 case shows the same response pattern: patch quickly, but collect indicators first when exploitation is possible.
Related: LiteSpeed also patched an actively exploited cPanel user-end plugin flaw, CVE-2026-48172, where compromised cPanel access could lead to root-level script execution.
