cPanel & WHM Authentication Bypass Actively Exploited to Deploy Filemanager Backdoor (CVE-2026-41940)

Scope: cPanel & WebHost Manager (WHM) – All Versions After 11.40

Severity: Red

A critical CRLF injection authentication bypass (CVSS 9.8) in cPanel and WHM — added to the CISA KEV catalog and exploited as a zero-day since at least February 23, 2026, roughly two months before the April 28 patch — is being actively weaponized by a sophisticated, long-running threat actor named Mr_Rot13, with over 2,000 attacker IPs worldwide conducting automated attacks. Once authenticated, the attacker implants an SSH public key for persistent access, drops a PHP web shell that injects credential-harvesting JavaScript into the cPanel login page, and deploys a cross-platform Go-based backdoor called Filemanager capable of infecting Windows, macOS, and Linux, with stolen data exfiltrated via ROT13-encoded channels to attacker-controlled Telegram groups. Organizations should apply the cPanel/WHM security update issued April 28, restart the cpsrvd daemon after patching, audit authorized SSH keys for unauthorized entries, scan for unexpected PHP web shells, and block outbound traffic to the C2 domains cp.dene[.]de[.]com, wpsock[.]com, and wrned[.]com.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.