Signal

Critical cPanel vulnerability CVE-2026-41940 actively exploited to deploy backdoor

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-11 17:54 UTCUpdated 2026-05-12 15:36 UTC
rss
cveexploitsmalwarethreat_actorssecurity_advisoriesincident_response
Trend in the last 24h
Promoted linkSource links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackToday's BriefEvidence (5)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.
4 top sources shown
Multiple vulnerabilities in cPanel and WHM
CERT.BE - Warning · ccb.belgium.be · 2026-05-12 08:21 UTC
View all evidence
Overview

A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940 with a CVSS score of 9.8, is being actively exploited by the threat actor Mr_Rot13.

Entities
cPanelWebHost Manager (WHM)FilemanagerMr_Rot13Sunil Varkey
Score total
1.39
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
Why now
  • Exploitation began shortly after public disclosure in late April 2026, indicating active threat actor campaigns.
  • The threat actor Mr_Rot13 is currently deploying backdoors and stealing credentials using this flaw.
  • Security advisories have been issued globally, emphasizing urgency for patching and monitoring.
Why it matters
  • The vulnerability enables attackers to gain elevated control over web hosting environments, risking widespread compromise.
  • cPanel manages multiple tenants, so exploitation can affect many organizations simultaneously, amplifying impact.
  • Immediate patching is critical to prevent privilege escalation and mitigate supply chain risks in hosting infrastructure.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM actively exploited to deploy a backdoor.
  • The threat actor Mr_Rot13 is linked to exploitation of CVE-2026-41940 to gain elevated control and compromise hosting environments.
  • Security advisories from CERT.BE and AusCERT urge immediate patching to mitigate privilege escalation risks from multiple vulnerabilities in cPanel and WHM.
How sources frame it
  • The Hacker News: neutral
  • CSO Online: neutral
  • CERT.BE: neutral
  • AusCERT: neutral
This cluster highlights an urgent security incident involving a critical cPanel vulnerability actively exploited in the wild, underscoring the importance of patching and supply chain risk awareness.
All evidence
All evidence
The Hacker News - cPanel CVE-2026-41940 under active exploitation
thehackernews.com · thehackernews.com · 2026-05-11 17:54 UTC
CSO Online - cPanel flaw exposes enterprises to hosting supply-chain risks
csoonline.com · csoonline.com · 2026-05-12 10:26 UTC
Multiple vulnerabilities in cPanel and WHM
CERT.BE - Warning · ccb.belgium.be · 2026-05-12 08:21 UTC
AusCERT - Security Bulletin ASB-2026.0099.2 on CVE-2026-41940
portal.auscert.org.au · portal.auscert.org.au · 2026-05-12 03:51 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
  • thehackernews.com (1)
  • csoonline.com (1)
  • CERT.BE - Warning (1)
  • portal.auscert.org.au (1)
  • SC Media (1)
Top origin domains (this list)
  • thehackernews.com (1)
  • csoonline.com (1)
  • ccb.belgium.be (1)
  • portal.auscert.org.au (1)
  • scworld.com (1)