Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Publish Date: 2026-05-12 07:43:00
Source Domain: securityaffairs.com
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Pierluigi Paganini
May 12, 2026
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access.
Cybercriminals are actively exploiting the critical cPanel vulnerability CVE-2026-41940 (CVSS score of 9.3) to deploy a backdoor called Filemanager on compromised servers.
cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.
Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.
According to the Shadowserver Foundation, thousands of instances may be exposed.
cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.
QiAnXin XLab researchers linked the attacks to a threat actor known as Mr_Rot13.
Since its public disclosure on April 28, researchers have observed widespread exploitation linked to cryptomining, ransomware, botnets, and backdoor deployments. More than 2,000 malicious IPs worldwide have…
