ATTACKERS are abusing cPanel CVE-2026-41940 to deploy a backdoor known as Filemanager on compromised servers. The flaw enables remote attackers to bypass authentication and gain access to the cPanel/WHM interface, with researchers noting a CVSS score of 9.3. Since its public disclosure, the campaign has expanded, with Go-based malware named Payload delivering the Filemanager backdoor and other malicious components.
Threat analysts have linked the operation to a long-running group called Mr_Rot13, which is said to have operated since at least 2020 using similar infrastructure and C2 channels. According to the Shadowserver Foundation, thousands of instances may be exposed, and Go-based tooling has been used to implant SSH keys, inject PHP and JavaScript, and exfiltrate data via Telegram.
More than 2,000 malicious IPs worldwide have been observed targeting the flaw, with activity concentrated in Germany, the United States, Brazil and the Netherlands. Researchers also note a PHP backdoor named helper[.]php and a Go-infector that decrypts and runs the payload, ultimately deploying the Filemanager remote-control trojan.