cPanel Update: Mr_Rot13 Has Been Backdooring Servers Through CVE-2026-41940 For Six Years

The cPanel CVE-2026-41940 story continues. A new threat actor has been named, the backdoor it deploys has been documented, and the most operationally relevant fact is that this group has been operating since 2020 with detection rates close to zero.

BEIJING, CHINA — A new threat actor designated Mr_Rot13 has been observed actively exploiting CVE-2026-41940 — the cPanel and WHM authentication bypass we covered in our late April 2026 reporting — to deploy a Filemanager backdoor on compromised hosting infrastructure. Research from QiAnXin XLab, published May 11, 2026 and reported by The Hacker News, attributes the activity to a group that has operated covertly for over six years (since 2020) with detection rates across security products described as "extremely low." Filemanager is a cross-platform Go-based remote control trojan that listens on specific network ports, provides a web-based graphical interface for file management and remote command execution, and uses bcrypt cryptographic hashing for authentication — deliberately rejecting plaintext passwords to evade standard network traffic interception. XLab monitoring data shows more than 2,000 attacker source IPs worldwide currently involved in automated attacks against the vulnerability.

The Filemanager backdoor differs operationally from the Mirai-botnet and .sorry-ransomware patterns documented in our April 29 coverage. Rather than mass-deployment for ransomware or DDoS recruitment, Filemanager is built for long-term silent persistence and lateral compromise of customer environments hosted on affected servers. XLab linked the current command-and-control infrastructure to an obfuscated PHP backdoor uploaded to public malware scanners as early as 2022, with the same network domains and encoding techniques persisting across multiple years. This pattern positions Mr_Rot13 as a disciplined, long-term-focused operation rather than an opportunistic exploiter.

The patched-but-compromised problem

The operational implication for any organization running cPanel or WHM is that patching CVE-2026-41940 addresses the authentication bypass — not pre-existing backdoors deployed during the active exploitation window. Hosts compromised before patching may carry Mr_Rot13 / Filemanager persistence that survives the patch, with bcrypt-authenticated web-based remote command execution available to the operator at any time. Threat hunting is now the primary remediation activity for previously-exposed cPanel instances, not just patch verification.

What to do

1. If you patched CVE-2026-41940 in late April or May, treat the patch as the start of remediation, not the completion. Audit for Filemanager backdoor persistence patterns: unexpected listening services on non-standard ports, web-based admin interfaces that should not exist, processes consuming network bandwidth without identifiable legitimate purpose.
2. For hosting providers specifically: re-audit your fleet for backdoor persistence patterns that may have been deployed during the February-April 2026 exploitation window when CVE-2026-41940 was being weaponized in the wild before public disclosure. Brief customer-facing communications that hosts compromised pre-patch may require additional remediation beyond the patch.
3. Monitor for Mr_Rot13-specific IOCs as XLab and downstream security vendors publish them. The group's six-year operational history with low detection rates suggests their tooling may evade signature-based detection; behavioral monitoring is the higher-confidence approach.
4. Pre-script compromised-pre-patch scenarios in your IR playbook for any major CVE going forward. The cPanel pattern is recurring across the broader 2026 attack landscape and will continue to be a defining pattern for legacy hosting infrastructure.

Cross-reference

For full background on CVE-2026-41940 (CVSS 9.8 unauthenticated authentication bypass via CRLF injection), active exploitation timeline since February 2026, the 44,000+ compromised servers estimate, and the original Mirai botnet and .sorry ransomware payloads, see our April 29 cPanel coverage.

Sources