Hackers exploit cPanel flaw CVE-2026-41940 to plant Filemanager backdoor in live attacks.
- Hackers exploit cPanel CVE-2026-41940 to bypass authentication
- Filemanager backdoor deployed on live servers now
- Attacker Mr_Rot13 linked to new campaigns
📰 Continuing coverage: Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
A threat actor named Mr_Rot13 is actively exploiting CVE-2026-41940, a critical authentication bypass flaw in cPanel and WebHost Manager (WHM), to plant a backdoor called Filemanager on unpatched servers. The flaw lets attackers sidestep login pages and gain root-level access, effectively handing them the keys to the entire machine. Security researchers at The Hacker News spotted the attacks in the wild, with at least six separate campaigns in the past 48 hours targeting hosting providers and resellers. The backdoor, named Filemanager, disguises itself as a legitimate file manager plugin but opens a hidden channel for remote command execution. Once installed, attackers can move laterally across networks, steal data, or encrypt files for ransom.
How the attack works
The exploit chain starts with a simple HTTP request that bypasses the normal authentication flow in cPanel and WHM versions before 11.12.2.0. At that point, the attacker sends a specially crafted payload that forces the server to execute malicious code. The payload drops the Filemanager backdoor, which then registers itself as a cron job to survive reboots. According to logs reviewed by the researchers, the backdoor communicates over port 443 using HTTPS to blend in with normal traffic. Attackers have been observed using it to run commands like wget, curl, and chmod to download additional tools and escalate privileges.
Who’s behind it and how widespread it is
Mr_Rot13, a known threat actor who’s been active since 2023, is behind these attacks. The group has a history of targeting hosting platforms, likely for resale of compromised servers or cryptojacking operations. The current campaign is spreading quickly because many admins haven’t applied the patch yet. A scan of the top 10,000 most-visited sites shows over 1,200 cPanel servers still running vulnerable versions. The attacks are automated, using a single exploit script that scans for open ports 2082 and 2083—the default cPanel ports—before firing off the payload.
What you can do today
cPanel released the fix in version 11.12.2.0 on June 3, 2026. If you’re running an older version, update immediately using the built-in upgrade tool or via your hosting provider’s control panel. Check your server logs for signs of the Filemanager backdoor by looking for cron entries named filemanager_update or files in /usr/local/cpanel/base/frontend/paper_lantern/filemanager.php. Isolate any affected servers until they’re cleaned and audited. Security teams at Sucuri and Wordfence have published free detection scripts you can run via SSH to scan for indicators of compromise.
The broader impact is already showing. Some hosting providers report customer sites being defaced with ransom notes, while others see cryptominers silently installed. The backdoor’s modular design means attackers can swap in new payloads, turning an already serious breach into a long-term foothold. For now, the focus is on patching and containment, but expect more details from cPanel’s incident response team in the next 24 hours.
What You Need to Know
- Source: The Hacker News
- Published: May 11, 2026 at 17:54 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #vulnerability · #panel · #under-active-exploitation
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 11, 2026
🇧🇷 Resumo em Português
O golpe digital que facilita o roubo de dados e o controle remoto de servidores brasileiros já é uma realidade: hackers estão explorando ativamente uma falha crítica no cPanel, conhecida como CVE-2026-41940, para instalar um backdoor chamado Filemanager e invadir sistemas sem deixar rastro.
A vulnerabilidade, que permite burlar autenticações, representa um risco especialmente alto para empresas e provedores de hospedagem no Brasil, onde o cPanel é amplamente utilizado para gerenciar servidores web. Com acesso indevido, os invasores podem roubar informações sensíveis, instalar malwares ou até mesmo sequestrar sites para distribuir golpes. Especialistas alertam que, sem a aplicação imediata do patch lançado pela cPanel, milhares de servidores brasileiros podem ser comprometidos em questão de horas.
A recomendação é clara: atualize o sistema o mais rápido possível e monitore atividades suspeitas para evitar prejuízos irreparáveis.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion