Researchers have attributed an active exploitation campaign against a critical cPanel authentication bypass vulnerability, tracked as CVE-2026-41940, to a long-running threat actor dubbedMr_Rot13. The campaign deploys a cross-platform backdoor named Filemanager, which steals credentials and establishes persistent access across compromised Linux hosting environments.
More than 2,000 attacker source IPs worldwide have been observed conducting automated attacks against CVE-2026-41940 since its public disclosure. Exploitation activities include cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation.
Background on Threat Actor and Backdoor
Mr_Rot13 is a threat actor who has been operating covertly since at least October 2020. Named after their consistent use of the ROT13 cipher to obfuscate command-and-control addresses and the Telegram handle “0xWR” attributed to the group’s creator, the actor has maintained an exceptionally low detection profile over six years. A PHP backdoor deployed by the group in 2022 still carries zero antivirus detections to this day. What distinguishes Mr_Rot13 from opportunistic threat actors is their operational discipline: stable long-lived infrastructure, consistent tooling across campaigns, and a deliberate emphasis on evasion over visibility.
Their primary payload, Filemanager, is a cross-platform remote-access backdoor written in Go, with builds available for Linux, Windows, and macOS. Once active, it exposes a web-based management console on an attacker-specified port, supporting file management, remote command execution, and interactive shell access.
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-41940 |
| CVSS Score | 9.8 (Critical) |
| EPSS Score | 67.0% |
| Affected Versions | All cPanel & WHM versions after 11.40, WP Squared all versions prior to 136.1.7 |
| Fixed Version | cPanel & WHM version 136.1.7 |
Attack Methodology: The Automated Infection Chain
The infection is carried out in seven phases:
Initial Exploitation: CVE-2026-41940 is abused to bypass cPanel/WHM authentication entirely, no credentials needed, full admin access granted remotely.
Infector Delivery: A shell script downloads and runs a Go-based binary from the attacker’s server via wget/curl, then deletes itself to avoid detection.
SSH Implantation: The infector hardcodes a new root password and plants an attacker-controlled SSH public key, ensuring persistent privileged access.
Webshell Deployment: A PHP webshell (“cpanel.py”) is uploaded to the cPanel CGI directory, enabling persistent file access and remote command execution.
Credential Skimming: Malicious JavaScript replaces the cPanel login page, silently harvesting usernames and passwords and sending them to a ROT13-obfuscated C2.
Filemanager Backdoor: A cross-platform backdoor (Windows/Linux/macOS) is installed from wpsock[.]com, opening a web-based remote-control console on a custom TCP port.
Data Exfiltration: Bash history, SSH keys, database passwords, and valiases are sent to the C2 server and a private Telegram group via dual redundant channels.
MITRE ATT&CK: Tactics and Techniques
| ID | Tactic | Technique | Description |
|---|---|---|---|
| TA0001 | Initial Access | T1190 – Exploit Public-Facing Application | CVE-2026-41940 authentication bypass on internet-facing cPanel/WHM |
| TA0002 | Execution | T1059.004 – Unix Shell | Shell script delivered and executed to download and run the Go-based infector |
| TA0003 | Persistence | T1098.004 – SSH Authorized Keys | Attacker-controlled SSH public key (cpanel-updater) implanted on the host |
| TA0003 | Persistence | T1505.003 – Web Shell | PHP webshell (cpanel.py) dropped into the cPanel CGI directory |
| TA0005 | Defense Evasion | T1070.004 – File Deletion | Infector binary deleted post-execution to reduce forensic footprint |
| TA0006 | Credential Access | T1056.003 – Web Portal Capture | Malicious login page skims credentials and exfiltrates them via AJAX |
| TA0010 | Exfiltration | T1567 – Exfiltration Over Web Service | Stolen data sent to C2 and a Telegram bot as dual exfiltration channels |
Indicators of Compromise (IOCs)
The following infrastructure, file artifacts, and network indicators have been identified as being used in the Mr_Rot13:
| Type | Indicator |
|---|---|
| Scanner IPs | 178[.]249[.]209[.]182, 149[.]102[.]229[.]146 |
| C2 Domain | wrned[.]com |
| Downloader Domain | cp.dene[.]de.com |
| Filemanager Domain | wpsock[.]com |
| Credential Exfil Endpoint | wrned[.]com/log.php (ROT13 encoded in JS as: uggcf://jearq[.]pbz/ybt.cuc) |
| Data Reporting Endpoint | cp.dene[.]de.com/collect.php |
| Infector Filename | Update (ELF 64-bit, x86-64, statically linked, stripped) |
Visual Attack Flow
Auth Bypass via CVE-2026-41940 -> CRLF Injection in Session File -> Encryption Layer Skipped -> Session Promoted to Admin -> Shell Script Delivered -> Go Infector Executed -> SSH Key Implanted -> PHP Webshell Dropped -> Login Page Hijacked -> Credentials Exfiltrated -> Filemanager Backdoor Installed -> Data Sent to C2 + Telegram -> Persistent Remote Control Established
Key Takeaways & Mitigation
- Patch cPanel and WHM immediately.
- Restrict cPanel / WHM Interfaces to Trusted IPs
- Audit SSH Authorized Keys Immediately
- Monitor for Anomalous Outbound Connections
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.