Mr_Rot13 has been linked to exploiting CVE-2026-41940 in cPanel and WHM to install the Filemanager backdoor on compromised systems. The campaign uses web shells, credential theft, persistent SSH access, and cross-platform payloads while targeting victims through infrastructure tied to cp.dene.de.com, wrned.com, and wpsock.com. #Mr_Rot13 #CVE-2026-41940 #Filemanager #cPanel #WHM
Keypoints
- Mr_Rot13 is exploiting a critical cPanel and WHM flaw.
- CVE-2026-41940 can enable authentication bypass and elevated control.
- The attack deploys SSH keys, web shells, and credential-stealing JavaScript.
- The Filemanager backdoor provides file access, command execution, and shell control.
- More than 2,000 attacker source IPs are involved in the campaign worldwide.
Read More: https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html