cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

Ravie LakshmananMay 11, 2026Vulnerability / Ransomware

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments.

The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.

According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.

"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers said. "These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions."

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

Other newsrooms on this story

Related reading

Critical cPanel exploited: 'Millions' of sites could be hit

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Critical cPanel, WHM flaw probs exploited as 0-day, pros say

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub…

'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit