A critical zero-day authentication bypass vulnerability in cPanel and WHM, tracked as CVE-2026-41940 with a CVSS score of 9.8 (Critical), has been weaponized by a sophisticated, long-operating hacking group dubbed Mr_Rot13, enabling cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation across thousands of compromised servers worldwide.
CVE-2026-41940, disclosed on April 28, 2026, is a pre-authentication remote-authentication bypass flaw rooted in a CRLF injection in cPanel’s session loading and saving mechanism.
By injecting special characters into authorization headers to write parameters to a session file, then triggering a session reload, an unauthenticated attacker can forge administrative credentials and gain root-level access to WHM, with no username or password required.
cPanel Auth Bypass Exploited
The flaw affects all currently supported versions of cPanel & WHM after version 11.40, impacting interfaces on ports 2082/2083 (cPanel) and 2086/2087 (WHM), as well as the WP Squared platform. CISA immediately added it to the Known Exploited Vulnerabilities (KEV) catalog and demanded that federal agencies patch by Sunday following disclosure.
The exploitation wave has been swift and devastating. The Shadowserver Foundation reported that within days of public disclosure, over 44,000 servers were likely compromised, with the number stabilizing near 2,000 confirmed compromised instances as rapid patching took effect.
Security researchers at XLab’s threat intelligence platform identified over 2,000 attack-source IPs from across the globe actively conducting automated attacks. Because cPanel/WHM underpins more than one million websites globally, including banks and healthcare organizations, CISA described the potential impact as catastrophic.
Zero-day exploitation was confirmed to have begun roughly two months before the patch was released, underscoring how long threat actors had remained undetected on vulnerable infrastructure.
On May 2, 2026, the security community documented a high-profile intrusion in which threat actors successfully leveraged CVE-2026-41940 to infiltrate Southeast Asian government and military institutions, exfiltrating approximately 4.37 GB of sensitive files totaling 110 documents organized in folders dated from 2020 through 2024, with the most recent files dating from November to December 2024, stolen in March 2026.
This incident, reported by Ctrl-Alt-Intel, indicates that nation-state-level actors or advanced criminal groups are targeting critical government infrastructure using this vulnerability as an initial access vector, elevating the threat far beyond opportunistic server compromise.
On May 4, 2026, XLab researchers analyzing malicious payloads delivered through CVE-2026-41940 discovered a novel Go-language injector named “Payload” notable for containing extensive Turkish log strings, likely AI-generated.
Its core capabilities include implanting SSH public keys, deploying malicious PHP and JavaScript code into compromised cPanel systems, stealing login credentials, and exfiltrating them to a Telegram group controlled by the attacker before deploying a remote-access Trojan named “filemanager.”
During attribution analysis, researchers found a PHP backdoor uploaded to VirusTotal in 2022 that still registers zero detections and communicates with the C2 domain wrned[.]com , a domain active since 2020.
The use of a Telegram group created by a user with the handle “0xWR”, combined with ROT13 encoding to obfuscate C2 infrastructure in injected JavaScript code (decoded: https://wrned.com/log.php?t=3), led researchers to name this group Mr_Rot13 internally.
The group has maintained an extremely low detection profile across security products for six consecutive years, from 2020 to the present. The malicious delivery script fetches a file named Update from cp.dene[.]de.com, executes it silently in the background via nohup, and self-deletes post-execution.
Three versions of this Update ELF 64-bit binary (statically linked, stripped) has been captured; the latest, seized on May 5, 2026, carries an MD5 hash fb1bc3f935fdeb3555465070ba2db33c. The infector performs five primary actions:
- Root password change to
123Qwe123Cviamain_changeRootPassword - SSH public key implantation (
main_installSSHKey) using the keyssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIswJUfqrkbm2sIMfNHZn1sOYkxjNzEynqJKFU7qoez - PHP webshell deployment (
main_installCpanelPy) a Python-named shell at/usr/local/cpanel/cgi-sys/cpanel.pysupporting file management and remote command execution - JavaScript credential-stealer injection (
main_injectLoginPage) capturing usernames, passwords, User-Agent strings, and URLs, then POSTing them to the ROT13-obfuscated C2 endpoint - Filemanager RAT installation (
main_runWpsockInstaller) a cross-platform backdoor (Linux, Windows, macOS) downloaded fromwpsock[.]com/cpanel/install.sh, listening on an attacker-specified port and providing a full remote management web console
On May 4, a user with the ID “xrill_y” sent a message to the Mr_Rot13 Telegram bot, an action that appeared to alert the group. Within 24 hours, Mr_Rot13 invalidated the existing bot token, rotated to a new one, and then reintegrated the bot on May 7.
The user “xrill_y” subsequently changed their username to “iudcbjrfv”, likely to obscure identity. Researchers believe xrill_y may be a security researcher rather than a co-conspirator, but cannot confirm this.
Affected Versions and Mitigation
Administrators should immediately patch to the following fixed releases:
- 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5
No workaround exists; patching is mandatory. Admins should also rotate all root passwords, audit SSH authorized_keys files for unauthorized entries, and scan for webshells, inspect the cPanel login page for injected JavaScript, and monitor outbound connections.
| Type | Value |
|---|---|
| Malware MD5 (Update) | fb1bc3f935fdeb3555465070ba2db33c |
| Malware MD5 (filemanager) | 9305b4ebbb4d39907cf36b62989a6af3 |
| PHP Backdoor MD5 | 2286f126ab4740ccf2595ad1fa0c615c |
| C2 Domain | cp.dene.de[.]com |
| C2 Domain | wrned[.]com |
| RAT Installer | wpsock[.]com/cpanel/install.sh |
| SSH Public Key | ssh-ed25519 AAAAC3...cpanel-updater |
| Telegram Group ID | -443071772 |
FAQ
Q1: What is CVE-2026-41940?
CVE-2026-41940 is a CVSS 9.8 critical authentication bypass in cPanel & WHM that allows unauthenticated remote attackers to gain full root administrative access via CRLF injection in the session handler.
Q2: Is there a patch available for CVE-2026-41940?
Yes, cPanel released emergency security updates on April 28, 2026. Affected users must upgrade immediately to patched versions (11.110.0.97 and later), as no workaround exists.
Q3: Who is the Mr_Rot13 hacking group?
Mr_Rot13 is a stealthy, long-running threat actor active since at least 2020 that uses ROT13-obfuscated C2 channels, AI-generated Go malware, and Telegram bots to exploit cPanel servers while maintaining near-zero detection rates across security tools.
Q4: What should cPanel administrators do immediately?
Admins must apply the available patches, rotate all credentials, audit SSH keys, scan for webshells, and block traffic to IOC domains, including wrned[.]com, wpsock[.]com, and cp.dene.de[.]com.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
