As noted by The Hacker News, a threat actor known as Mr_Rot13 has been actively exploiting a recently disclosed critical vulnerability in cPanel, identified as CVE-2026-41940, to deploy a backdoor named Filemanager on compromised systems. This vulnerability allows for authentication bypass and grants remote attackers elevated control over the control panel.The exploitation of CVE-2026-41940, which affects cPanel and WebHost Manager, has been observed shortly after its public disclosure. Threat actors are leveraging this flaw for various malicious activities, including cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation. Security researchers have identified over 2,000 attacker IP addresses globally involved in automated attacks targeting this vulnerability, with a significant concentration originating from Germany, the United States, Brazil, and the Netherlands. The attack chain involves downloading a Go-based infector that installs an SSH public key for persistent access and deploys a PHP web shell. This web shell facilitates file management and remote command execution, and is used to inject JavaScript code that steals login credentials, encoded using ROT13. The ultimate goal is the deployment of a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.The infector also collects sensitive information, such as bash history, SSH data, and database passwords, and sends it to a Telegram group. The threat actor, Mr_Rot13, has demonstrated a low detection rate for their infrastructure and samples over the past six years, indicating a long-standing and stealthy operation.Source: The Hacker News
Vulnerability Management
Threat actor Mr_Rot13 exploits critical cPanel flaw to deploy Filemanager backdoor

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



