cpanel - TrustStrike Labs

threat

CVE-2026-41940

2026-05-12

Mr_Rot13 actor exploits cPanel CVE-2026-41940 to deploy cross-platform 'Filemanager' backdoor

QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.

cpanel actively-exploited backdoor mr-rot13 filemanager

Check: Search cPanel and WHM authentication logs for unusual successful logins since April 28. Check /root/.ssh/authorized_keys on every cPanel host for unknown public keys, and search web roots for unfamiliar PHP files.
Affected: Any cPanel or WHM installation that was not patched against CVE-2026-41940 between disclosure on April 28, 2026, and now. Indicators of Mr_Rot13 compromise include the SSH public key added under root, the wrned[.]com credential exfiltration domain, the cp.dene[.]de[.]com infector source, and the wpsock[.]com Filemanager delivery domain.
Fix: If still unpatched, install the cPanel fix for CVE-2026-41940 immediately. On any host that was internet-exposed and unpatched, assume compromise: remove unknown SSH keys from root, sweep for unfamiliar PHP web shells, block the indicator domains wrned[.]com, cp.dene[.]de[.]com, and wpsock[.]com at egress, rotate cPanel and WHM root credentials, and check bash_history for evidence of attacker reconnaissance.

vulnerability

CVE-2026-29201 CVE-2026-29202 CVE-2026-29203

2026-05-09

cPanel patches three new flaws including two that let authenticated users run arbitrary Perl code on the server - on top of the active 'Sorry' ransomware wave still hitting unpatched systems

cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.

cpanel whm authenticated-rce perl-code-execution symlink privilege-escalation sorry-ransomware-context compounding-patches cvss-8-8

Check: Inventory cPanel and WHM versions. Check whether any servers are still on builds before the May 9 release. Search authentication logs for use of the create_user API or feature::LOADFEATUREFILE adminbin call by accounts that don't normally use them.
Affected: cPanel and WHM versions before 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43. Legacy CentOS 6 and CloudLinux 6 customers must patch to 110.0.114. The CVSS 8.8 flaws require authentication, so internet-facing cPanel servers with weak password policies face acute risk.
Fix: Patch cPanel to a fixed version per the May 9 advisory. Apply the new patches alongside the existing CVE-2026-41940 (Sorry ransomware) fix. Tighten cPanel user account password policies and enforce 2FA for any account with API access. Restrict cPanel ports (2082-2087, 2095-2096) to trusted IPs to limit pre-auth attack surface.

threat

CVE-2026-41940

2026-05-04

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

cpanel sorry-ransomware government-targeting msp follow-up cisa-kev federal-deadline kaseya-comparison supply-chain-amplification

Check: Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected: Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix: Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.

threat

CVE-2026-41940

2026-05-02

Hackers are mass-encrypting websites by exploiting last week's cPanel flaw - 44,000 servers compromised so far in 'Sorry' ransomware attacks

Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.

cpanel whm sorry-ransomware mass-exploitation follow-up shadowserver 44k-compromised go-encryptor chacha20

Check: If you run any cPanel or WHM server and have not yet patched, treat the server as already compromised - patch immediately, then start incident response rather than just resuming operations.
Affected: All cPanel and WHM versions before the April 28 emergency patch. ~1.5 million internet-exposed cPanel instances per Shodan, with 44,000 confirmed compromised. Hosting providers, web agencies, e-commerce sites on shared hosting, and any small business website on cPanel are in scope. Anyone whose cPanel was internet-reachable between February 23 and April 28 should assume compromise even if they patched promptly.
Fix: Patch cPanel to a fixed version. After patching, hunt for indicators of compromise (Sorry's '.sorry' file extension, unfamiliar admin sessions, cron entries pointing to /tmp/, modified /var/cpanel/sessions/raw/ files). Restore from clean backups predating February 23 if possible. Block cPanel ports (2082-2087, 2095-2096) at the firewall to non-trusted IPs. Rotate every credential the cPanel host had access to.

vulnerability

CVE-2026-41940

2026-04-28

All cPanel and WHM versions had a critical authentication bypass that attackers may have been exploiting since February - emergency patches now released (CVE-2026-41940)

cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.

cpanel whm authentication-bypass crlf-injection watchtowr actively-exploited emergency-patch webhost namecheap

Check: If you run any cPanel or WHM server, confirm it's patched to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 today.
Affected: All cPanel and WHM versions before the April 28 emergency patch, plus end-of-life versions. CVE-2026-41940, CVSS 9.8. Successful exploitation grants root-equivalent access on the server, exposing every hosted website, database, email account, and customer data. KnownHost reports possible exploitation since February 23, 2026.
Fix: Run '/scripts/upcp --force' to pull the latest patched cPanel build immediately. Audit authentication logs for unusual successful logins between February 23 and April 28 - any login from an unfamiliar IP during that window may indicate prior compromise. Block cPanel ports (2082-2087, 2095-2096, 2077-2078) at the firewall to non-trusted IP ranges.