CVE-2026-41940 Critical Flaw in cPanel Actively Exploited; Threat Actor Mr_Rot13 Deploys Filemanager Backdoor

A critical vulnerability in cPanel and WebHost Manager (WHM) designated CVE-2026-41940 is under active exploitation by a threat actor identified as Mr_Rot13, who is deploying a backdoor named Filemanager on compromised servers. The flaw enables authentication bypass, granting remote attackers elevated control over web hosting environments. Security researchers first documented the exploitation pattern after observing unauthorized access attempts targeting the control panel infrastructure that manages millions of websites globally.

The attack chain leverages the authentication bypass to gain initial access, followed by deployment of the Filemanager backdoor, which provides persistent remote access and file manipulation capabilities on affected systems. cPanel serves as one of the most widely deployed control panels for web hosting providers, meaning the potential blast radius of this vulnerability extends across numerous hosting providers and their customer bases. The vulnerability's critical severity rating reflects the ability to bypass authentication controls entirely, removing the primary barrier between an attacker and administrative-level access to hosted domains.

Web hosting administrators are urged to apply available patches immediately and audit access logs for signs of unauthorized Filemanager module installation or unusual administrative actions. The emergence of a named threat actor like Mr_Rot13 rather than generic scanning activity suggests targeted exploitation, possibly for deployment of additional payloads, data exfiltration, or further lateral movement within hosting infrastructure. Organizations relying on shared hosting environments should coordinate with their providers to confirm remediation status and consider isolated monitoring given the administrative access this vulnerability provides.