cPanel CVE-2026-41940 exploited to deploy Filemanager backdoor across 44,000 servers
Tags Security · Infrastructure · Enterprise
A critical authentication bypass vulnerability in cPanel/WHM (CVE-2026-41940, CVSS 9.8) is being actively exploited by a threat actor tracked as Mr_Rot13 to deploy a cross-platform backdoor called Filemanager. At least 44,000 cPanel servers were compromised, with 7,135 confirmed to have .sorry ransomware deployed, affecting an estimated 70 million hosted websites. The attack chain uses a Go-based infector that implants SSH public keys for persistence and drops a PHP web shell. A JavaScript-injected fake login page steals credentials and exfiltrates them using ROT13 cipher. Exploitation began as early as February 23, 2026 — two months before the April 28 emergency patch. cPanel issued a second emergency patch on May 8 for three additional CVEs (CVE-2026-29201/29202/29203).
Technical significance
The scale of this campaign — 44,000 servers and an estimated 70 million websites — makes it one of the largest cPanel compromises ever. The two-month gap between initial exploitation and patching highlights the risk window for widely-deployed infrastructure tools. The use of ROT13 encoding for C2 communication is unusual and suggests the threat actor may be deliberately using simple, reversible obfuscation that evades signature-based detection while remaining easy to decode.