The threat actor Mr_Rot13 is actively exploiting CVE-2026-41940, a critical (CVSS 9.8) authentication bypass flaw in cPanel, to deploy a cross-platform backdoor called Filemanager. Affected versions include cPanel 11.40 through 86.0.40, 88.0.0 through 110.0.96, 112.0.0 through 118.0.62, 120.0.0 through 124.0.34, and 126.0.1 through 126.0.53. The fix requires upgrading to specific patched versions, such as 86.0.41, 110.0.97, 118.0.63, 124.0.35, or 126.0.54.
Vulnerability Management Threat actor Mr_Rot13 exploits critical cPanel flaw to deploy Filemanager backdoor May 12, 2026 Share By SC Staff (Adobe Stock) As noted by The Hacker News, a threat actor known as Mr_Rot13 has been actively exploiting a recently disclosed critical vulnerability in cPanel, identified as CVE-2026-41940, to deploy a backdoor named Filemanager on compromised systems. This vulnerability allows for authentication bypass and grants remote attackers elevated control over the control panel. The exploitation of CVE-2026-41940, which affects cPanel and WebHost Manager, has been observed shortly after its public disclosure. Threat actors are leveraging this flaw for various malicious activities, including cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation. Security researchers have identified over 2,000 attacker IP addresses globally involved in automated attacks targeting this vulnerability, with a significant concentration originating from Germany, the United States, Brazil, and the Netherlands. The attack chain involves downloading a Go-based infector that installs an SSH public key for persistent access and deploys a PHP web shell. This web shell facilitates file management and remote command execution, and is used to inject JavaScript code that steals login credentials, encoded using ROT13. The ultimate goal is the deployment of a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems. The infector also collects sensitive information, such as bash history, SSH data, and database passwords, and sends it to a Telegram group. The threat actor, Mr_Rot13, has demonstrated a low detection rate for their infrastructure and samples over the past six years, indicating a long-standing and stealthy operation. Source: The Hacker News SC Staff Related Vulnerability Management Linux maintainer proposes runtime killswitch for vulnerabilities SC Staff May 12, 2026 Linux kernel co-maintainer Sasha Levin has proposed a runtime killswitch mechanism, accessible via securityfs, to temporarily disable vulnerable kernel functions. Vulnerability Management Federal agencies ordered to patch Ivanti EPMM zero-day in 3 days Laura French May 8, 2026 The actively exploited flaw enables remote admin users to execute arbitrary code. Vulnerability Management ‘Dirty Frag’ Linux zero-day exposes most distributions to LPE Steve Zurier May 8, 2026 Dirty Frag Linux zero-day exposes most distributions to root privilege escalation. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds