CVE-2026-41940 - Critical cPanel Vulnerability Exploited in Mr_Rot13 Backdoor Campaign

Jun 1, 2026

Active exploitation campaign against a critical cPanel authentication bypass vulnerability (CVE-2026-41940) by a threat actor dubbed Mr_Rot13.

Researchers at QiAnXin XLab have attributed an active exploitation campaign against a critical cPanel authentication bypass vulnerability (CVE-2026-41940) to a long-running threat actor dubbed Mr_Rot13.

The campaign deploys a cross-platform backdoor named Filemanager that steals credentials and establishes persistent access across compromised Linux hosting environments.

More than 2,000 attacker source IPs worldwide have been observed conducting automated attacks against CVE-2026-41940 since its public disclosure on April 28, 2026.

Exploitation activity includes cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation.

Vulnerability & Affected Products

Field
CVE ID

CVSS Score

EPSS Score

Affected Versions

Fixed Version

Details
CVE-2026-41940

9.8 Critical — CVSS v3.1

0.670 (67.0th percentile)

All cPanel & WHM versions after 11.40 (including DNSOnly); WP Squared all versions prior to 136.1.7

cPanel & WHM — patched builds released April 28, 2026 (apply via /scripts/upcp --force); WP Squared — version 136.1.7

CVE-2026-41940 - Critical cPanel Vulnerability Exploited in Mr_Rot13 Backdoor Campaign

Vulnerability & Affected Products

Customers

Learn

Support