By rssfeeds-admin 
Tracked as CVE-2026-41940, this severe security flaw carries a maximum CVSS score of 9.8. It allows unauthenticated remote attackers to completely bypass standard login protocols, granting them full administrator privileges over vulnerable Linux environments.
According to XLab researchers, the elusive Mr_Rot13 group has operated covertly for over six years while maintaining exceptionally low detection rates across major cybersecurity platforms.
Since the vulnerability was publicly disclosed in late April 2026, global threat monitors have tracked massive automated exploitation attempts originating from more than 2,000 distinct IP addresses. The attacks have already caused significant real-world damage.
In early May, security firm Ctrl-Alt-Intel reported that hackers successfully weaponized this cPanel bug to infiltrate Southeast Asian government and military networks, successfully exfiltrating over four gigabytes of highly sensitive data.
cPanel and WHM Servers Under Attack
The primary exploitation strategy relies on a custom Go-based payload infector that downloads and executes silently on compromised machines.
XLab researchers discovered that this advanced infector systematically modifies root system passwords and implants custom SSH public keys labeled as “cpanel-updater” to quietly bypass standard logins.
To ensure redundant access, the threat actors also drop a Python-based webshell. Interestingly, the infector features unique structural characteristics and extensive Turkish log outputs, suggesting the underlying code may have been partially generated by artificial intelligence.
To further solidify their unauthorized access, the attackers inject highly customized, malicious JavaScript code directly into the cPanel login interface through modified server template files.
This script silently intercepts user credentials, user-agent strings, and active session details whenever a legitimate administrator logs in.
The stolen data is rapidly exfiltrated to attacker-controlled domains using classic ROT13 obfuscation or routed securely to a dedicated Telegram channel.
The group continuously updates its Telegram bot tokens to maintain strict operational security against snooping external researchers.
Beyond routine credential harvesting, Mr_Rot13 deploys a cross-platform remote control Trojan internally dubbed “filemanager.”
This statically linked executable listens on specific network ports and provides a web-based graphical user interface for seamless file management and remote command execution.
It utilizes advanced bcrypt cryptographic hashing for authentication, deliberately rejecting plaintext passwords to evade standard network traffic interception tools.
Tracing the network infrastructure of these recent attacks revealed deep historical connections to previously undetected malicious activity.
Security analysts successfully linked the current command-and-control domains to an obfuscated PHP backdoor uploaded to public malware scanners in 2022.
This older backdoor targeted vulnerable WordPress installations using complex XOR-based string concatenation to completely hide its communications from signature-based antivirus scanners for years.
XLab researchers emphasize that the persistent use of these domains and encoding techniques confirms Mr_Rot13 is a highly disciplined group dedicated to long-term enterprise compromise and data theft.
Network defenders should actively monitor their environments for the following Indicators of Compromise (IOCs).
Known MD5 hashes associated with this campaign:
2286f126ab4740ccf2595ad1fa0c615c (help.php)
2de27ca8d97124adaf604b18161a441e (Update)
29222f5e73dd10088fcf1204aa21f87f (Update)
fb1bc3f935fdeb3555465070ba2db33c (Update)
45fc93426cf08f91c9f9de5f04a12263 (filemanager-darwin-amd64)
711afb014f64c97d7b31685709c34ce7 (filemanager-darwin-arm64)
22613c952459e65ce09fb6b5c1c03d47 (filemanager-linux-386)
9305b4ebbb4d39907cf36b62989a6af3 (filemanager-linux-amd64)
e49f68a363c867608972680799389daf (filemanager-linux-arm64)
e1ec6ebb96cf87c785ee6a7da677c059 (filemanager-linux-armv7)
02a5990b11293236e01f174f5999df20 (filemanager-windows-386.exe_)
bae1f1bce7c82fa86f05b12e2e254cfc (filemanager-windows-amd64.exe_)Command and Control (C2) Domain:
wrned.]comNote: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Exploit CVE-2026-41940 to Take Over cPanel and WHM Servers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.