A critical vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is, according to researchers from QiAnXin XLab, being actively exploited by multiple threat actors to deploy backdoors, cryptocurrency miners, ransomware, and botnets. According to the XLab report, more than 2,000 attacker IP addresses are involved in automated attacks against this vulnerability. Administrators of servers running cPanel must immediately check for updates and signs of compromise.

Technical profile of the vulnerability and attack chain

The CVE-2026-41940 vulnerability affects the cPanel and WHM control panels and reportedly allows authentication bypass, giving remote attackers elevated control over the control panel. Important caveat: at the time of publication, there is no official confirmation of this CVE from the cPanel vendor, no entry in NVD, and no CISA advisory, so the details of the vulnerability should be treated with caution.

According to the researchers, the attack chain consists of several sequential stages:

1. Initial exploitation — use of the vulnerability to gain access to the control panel
2. Infector download — a shell script uses wget or curl to download a Go binary from the server cp.dene[.]de[.]com
3. Persistence in the system — the infector implants the attacker’s SSH key for persistent access and installs a PHP web shell with file upload/download and remote command execution capabilities
4. Credential theft — the web shell injects JavaScript code that replaces the login page to capture usernames and passwords, which are sent to the domain wrned[.]com
5. Backdoor deployment — the final stage involves installing the cross‑platform backdoor Filemanager, which, according to the researchers, can run on Windows, macOS, and Linux

The Filemanager backdoor is reportedly delivered via a shell script from the domain wpsock[.]com and supports file management, remote command execution, and interactive shell functionality.

Data collection and exfiltration

In addition to installing the backdoor, the infector, according to XLab, collects a wide range of sensitive information from the compromised host:

• Bash command history
• SSH data (keys, configurations)
• Device information
• Database passwords
• cPanel virtual aliases (valiases)

The collected data is allegedly exfiltrated to a Telegram group with three participants, created by a user with the nickname “0xWR”. Using Telegram as a command channel is a common tactic that makes it harder to block the attackers’ infrastructure.

Threat context and attribution

XLab researchers link the campaign to a group they call Mr_Rot13, named after the ROT13 cipher used to encode the C2 server’s domain name. The domain name wrned[.]com becomes jearq[.]com when decoded using ROT13.

An indirect indication of the group’s long‑running activity is the discovery of a PHP backdoor, helper.php, uploaded to VirusTotal in April 2022 and using the same C2 domain. The domain itself was reportedly registered in October 2020, pointing to potentially years‑long activity.

It should be emphasized that the attribution is based on a single research source and has not been confirmed by independent analysts or government entities.

According to XLab, the attackers’ IP addresses are spread across multiple regions, primarily Germany, the United States, Brazil, and the Netherlands. However, the geographic distribution of source IP addresses may reflect the locations of proxy servers and VPNs rather than the operators’ actual locations.

Impact assessment

cPanel remains one of the most widely used hosting control panels in the world. Compromising a server running cPanel can potentially affect all sites and accounts hosted on it, making each compromised server an entry point for attacks against dozens or hundreds of web resources at once.

The combination of authentication bypass, credential theft, and a cross‑platform backdoor creates a multi‑layered threat: even after the initial entry point is detected and removed, attackers may retain access via implanted SSH keys or stolen credentials.

Indicators of compromise

• Domains: cp.dene[.]de[.]com, wrned[.]com, wpsock[.]com
• SHA‑256 hash: 2d7d121dfcca6c17130ef605124869bf84ce77bee343ada78e0db2236174583a (helper.php)

Defense recommendations

• Check for cPanel/WHM updates and install the latest available version
• Audit the authorized_keys file for all server accounts and remove unknown SSH keys
• Check for suspicious PHP files in cPanel directories, especially those using eval(), base64_decode(), and network calls
• Review outbound connections to the listed domains in DNS and network traffic logs
• Verify the integrity of cPanel login pages — injected JavaScript may be altering the authentication form
• Change all administrative and database passwords on compromised servers
• Restrict access to the cPanel/WHM interface by IP address using a firewall

Administrators of servers running cPanel/WHM are advised to first check for unauthorized SSH keys and suspicious PHP files — these two signs are the most reliable indicators of the described compromise. If evidence of an attack is found, the server must be isolated, a full audit of all hosted accounts must be carried out, and all credentials stored on the server should be treated as compromised.