Vulnerability Management

Threat actor Mr_Rot13 exploits critical cPanel flaw to deploy Filemanager backdoor

Cybersecurity Alert Critical System Vulnerability Detected

As noted by The Hacker News, a threat actor known as Mr_Rot13 has been actively exploiting a recently disclosed critical vulnerability in cPanel, identified as CVE-2026-41940, to deploy a backdoor named Filemanager on compromised systems. This vulnerability allows for authentication bypass and grants remote attackers elevated control over the control panel.

The exploitation of CVE-2026-41940, which affects cPanel and WebHost Manager, has been observed shortly after its public disclosure. Threat actors are leveraging this flaw for various malicious activities, including cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation. Security researchers have identified over 2,000 attacker IP addresses globally involved in automated attacks targeting this vulnerability, with a significant concentration originating from Germany, the United States, Brazil, and the Netherlands. The attack chain involves downloading a Go-based infector that installs an SSH public key for persistent access and deploys a PHP web shell. This web shell facilitates file management and remote command execution, and is used to inject JavaScript code that steals login credentials, encoded using ROT13. The ultimate goal is the deployment of a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.

The infector also collects sensitive information, such as bash history, SSH data, and database passwords, and sends it to a Telegram group. The threat actor, Mr_Rot13, has demonstrated a low detection rate for their infrastructure and samples over the past six years, indicating a long-standing and stealthy operation.

Source: The Hacker News

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds