cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
Summary
A threat actor known as Mr_Rot13 is actively exploiting CVE-2026-41940, a critical vulnerability in cPanel and WHM. This vulnerability allows for authentication bypass and can lead to remote attackers gaining elevated control, enabling them to deploy a backdoor named Filemanager.
IFF Assessment
The exploitation of a critical vulnerability allows attackers to gain elevated control and deploy backdoors, posing a direct threat to system security.
Severity
The vulnerability allows for authentication bypass and remote code execution with elevated privileges, making it a critical threat with a high impact on confidentiality, integrity, and availability. The active exploitation further increases its severity.
CISA KEV: Listed as actively exploited. Federal patch due: May 03, 2026. Known ransomware use: Known.
Defender Context
Defenders should prioritize patching or mitigating CVE-2026-41940 on their cPanel and WHM installations immediately. Monitoring for signs of the Filemanager backdoor and unusual administrative activity within cPanel environments is crucial given this vulnerability is under active exploitation.