**cPanel** and WebHost Manager (WHM) users are urged to apply necessary patches following reports of active exploitation of **CVE-2026-41940**. This critical vulnerability allows attackers to bypass authentication and gain administrative privileges. ### Exploitation in the Wild According to a report by **QiAnXin XLab**, the vulnerability has been actively exploited since its public disclosure. Observed malicious activities include cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation. "Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," XLab researchers stated. These IPs are geographically distributed, with a significant concentration in Germany, the United States, Brazil, and the Netherlands. ### Technical Analysis of the Attack Chain Further analysis reveals a shell script leveraging `wget` or `curl` to download a Go-based infector from a remote server (`cp.dene.[de[.]com]`). This infector is designed to compromise **cPanel** systems by installing an SSH public key for persistent access and deploying a PHP web shell for file management and remote command execution. The web shell injects JavaScript code to serve a customized login page, designed to steal credentials. Stolen credentials are then exfiltrated to an attacker-controlled system (`wrned[.]com`), encoded using the **ROT13** cipher. The final stage involves deploying a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems. ### Filemanager Backdoor Details The infector also collects sensitive information, including bash history, SSH data, device information, database passwords, and **cPanel** virtual aliases (valiases), and sends it to a **Telegram** group managed by a user named "0xWR." **Filemanager**, delivered through a shell script from `wpsock[.]com`, provides file management, remote command execution, and shell functionalities. ### Mr_Rot13's History Evidence suggests that Mr_Rot13 has been active for several years. The command-and-control (C2) domain used in the JavaScript code was previously associated with a PHP-based backdoor (`helper.php`) uploaded to **VirusTotal** in April 2022. The domain was initially registered in October 2020. "Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low," XLab noted, highlighting the threat actor's stealth.