cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

Threat actors exploit CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager, to install the Filemanager backdoor on compromised servers. An attacker tracked as Mr_Rot13 actively deploys this malware following the public disclosure of the flaw.

CVE-2026-41940 permits unauthenticated remote attackers to escalate privileges and gain administrative access to affected cPanel instances. This allows threat actors to bypass login mechanisms entirely and operate with full system control. The Filemanager backdoor enables persistent access, allowing attackers to maintain foothold even after initial compromise remediation.

cPanel and WHM serve as control panels for web hosting providers and server administrators managing thousands of websites. A single compromised panel exposes all hosted domains and customer data. The backdoor installation suggests attackers target high-value infrastructure to establish persistent command-and-control capabilities.

Hosted environments face immediate risk. Web hosting providers relying on vulnerable cPanel versions should patch immediately and scan systems for Filemanager artifacts. Organizations using cPanel for shared hosting must verify their version status and apply security updates without delay.

The active exploitation timeline matters. Mr_Rot13's campaign indicates attackers actively hunt for unpatched systems in real time. Delay in patching increases compromise probability significantly. Organizations should assume their systems face continuous attack attempts if running vulnerable versions.

Detection requires monitoring for suspicious file uploads, unusual process execution within cPanel directories, and unexpected administrative account creation. Log analysis of authentication attempts may reveal bypass attempts preceding successful compromise.

Server administrators should prioritize this patch above routine updates. The combination of unauthenticated access and elevated privilege escalation creates a critical severity situation. Any cPanel installation exposed to the internet without protection faces substantial risk from automated exploitation tools.