VulnHub

Real-time Cybersecurity News

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

The Hacker News
Actively Exploited
2 Sources
Reporting on this topic
Help Net SecurityThe Hacker News
CVEVulnerabilityCritical

Overview

A serious security vulnerability in cPanel, identified as CVE-2026-41940, is currently being exploited by a threat actor known as Mr_Rot13. This flaw allows attackers to bypass authentication and gain elevated control over cPanel and WebHost Manager (WHM) environments. The exploitation of this vulnerability has led to the deployment of a backdoor named Filemanager on compromised systems. This incident is particularly concerning because it puts web hosting environments at risk, potentially allowing unauthorized access to sensitive data and control over web applications. Users and administrators of affected cPanel and WHM versions need to be vigilant and take immediate action to secure their systems.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: cPanel, WebHost Manager (WHM), CVE-2026-41940
  • Action Required: Users should immediately apply any available patches for cPanel and WHM that address CVE-2026-41940.
  • Timeline: Newly disclosed

Original Article Summary

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control

Impact

cPanel, WebHost Manager (WHM), CVE-2026-41940

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Users should immediately apply any available patches for cPanel and WHM that address CVE-2026-41940. Regularly update systems and review security settings to ensure unauthorized access is prevented. Implement monitoring for unusual activity to detect any potential exploitation.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Vulnerability, Critical.

Multiple Sources: This threat is being reported by 2 different security sources, indicating significant concern within the cybersecurity community.

Read Original Article

Related Coverage

cPanel zero-day exploited for months before patch release (CVE-2026-41940)

Help Net Security

A serious vulnerability (CVE-2026-41940) affecting cPanel, a widely used web hosting control panel, has been exploited by attackers for several months before a patch was released. This authentication bypass flaw has been in active use since at least February 23, 2026, with indications that it may have been abused even earlier. The vulnerability primarily impacts users of cPanel, which is often provided by shared hosting services. The delay in addressing this issue raises concerns about the security of web hosting environments and the potential for unauthorized access to sensitive data. Companies using cPanel are urged to apply the latest security updates as soon as possible to mitigate risks associated with this exploit.

Apr 30, 2026