Overview
- Security teams report ongoing exploitation of CVE-2026-41940, with activity tied to a group labeled Mr_Rot13 and more than 2,000 attacking IPs concentrated in Germany, the United States, Brazil, and the Netherlands.
- The bug lets intruders bypass the cPanel and WHM login process without a username or password, giving full control over the host system, its settings, and hosted sites.
- After gaining access, an infector changes the root password, adds an SSH key, plants a PHP web shell, and injects code into the cPanel login page to capture every credential typed by users.
- Stolen data flows to attacker servers and a private Telegram group, and the final payload installs the cross‑platform Filemanager backdoor used for remote commands, with observed campaigns also dropping ransomware, cryptominers, and botnet malware.
- cPanel, watchTowr, and Shadowserver released detection tools as hosts such as Namecheap limited panel access during fixes, and researchers urge rapid patching, log reviews, and credential resets for any exposed servers.