cPanel CVE-2026-41940 now used to deploy backdoors and exfiltrate data

cPanel is one of those boring-looking admin panels that quietly sits behind huge chunks of the web. That is why CVE-2026-41940 matters so much — a single login bypass can turn into control over websites, databases, email, and server settings in one shot. The bug was patched on April 28, but the story changed again on May 12, when XLab described attackers using that access for persistence and data theft, not just smash-and-grab compromise. ### What is this bug, exactly? CVE-2026-41940 is an authentication bypass in cPanel & WHM’s session handling. Basically, one login path sanitized session data and another path tied to Basic authentication did not. That let attackers send crafted requests that made an unauthenticated session look authenticated, giving them admin-level access without valid credentials. The flaw affects cPanel & WHM versions after 11.40, plus WP Squared up to 11.136.1.6, and it carries a CVSS score of 9.8. (cpanel.net) ### Why is admin access here so dangerous? Because WHM is not just one website’s dashboard. It is the control plane for the server. If an attacker gets in, they can reach host settings, databases, managed sites, and user accounts. In plain English — this is not “someone defaced a page.” It is “someone may own the machine that runs the page and everything next to it.” (nvd.nist.gov) ### What changed this week? The new detail is what attackers are doing after they get in. XLab said the campaign now changes the root password, plants a hidden SSH login key, drops a PHP web shell into the cPanel system, and even tampers with the cPanel login page to steal every username and password entered there. That is a different class of problem — persistence plus credential harvesting means even patched systems may still be unsafe if they were already breached. (helpnetsecurity.com) ### What are they stealing? More than just one admin token. XLab said attackers exfiltrate database passwords, SSH keys, shell command history, and other server data. The group also installs a remote-control trojan called “Filemanager,” which gives them an ongoing foothold. Some of the stolen data was reportedly sent not only to attacker infrastructure but also into a private Telegram group. (helpnetsecurity.com) ### Who is behind it? XLab linked this cluster to a group it calls “Mr_Rot13.” The name comes from a Telegram handle and from the group’s habit of hiding command-and-control details with ROT13-style obfuscation. XLab also tied the activity to a domain, wrned.com, that it says has been active since at least 2020. That suggests this is not a one-week opportunistic crew — it looks more like a mature operation that already had tooling ready. That attribution is XLab’s assessment, not a public government designation. (helpnetsecurity.com) ### How widespread is exploitation? Pretty wide. Shadowserver said more than 40,000 servers were likely compromised as attacks ramped up in early May. Rapid7 noted roughly 1.5 million internet-exposed cPanel instances could be potential targets. XLab said more than 2,000 attacker-controlled IP addresses are currently running automated attacks, and CISA added the bug to its Known Exploited Vulnerabilities catalog on April 30. (helpnetsecurity.com) ### Did patching solve it? Patching solves the entry bug. It does not remove a backdoor that was already planted. cPanel said on May 10 that more than 98% of servers were running an updated version and published a detection script, plus mitigations like blocking cPanel service ports where immediate updates are not possible. But if attackers already changed root credentials, added SSH keys, or modified the login page, defenders may need full incident-response work — not just an upgrade. (securityweek.com) ### So what is the real lesson? Internet-facing admin panels are trust anchors. If one falls, everything behind it can fall with it. That means stronger admin auth, tighter exposure, centralized logging, and a rebuild plan matter as much as patch speed. The bottom line is simple — CVE-2026-41940 is no longer just a critical bug. It is now an active post-compromise playbook. (cpanel.net)