Attackers rapidly weaponized the critical cPanel and WHM authentication-bypass flaw CVE-2026-41940 to seize control of exposed hosting servers, with researchers and internet telemetry providers reporting exploitation within a day of disclosure and signs the bug may have been abused earlier. The vulnerability affects cPanel/WHM deployments after 11.40, and reporting tied the surge to a sharp rise in maliciously flagged cPanel hosts, widespread scanning from tens of thousands of IPs, and compromises across a large internet-facing footprint that some estimates placed in the hundreds of thousands to more than a million systems. Post-compromise activity included Sorry ransomware encrypting files with the .sorry extension, Mirai-related botnet deployment, cryptomining, and website hijacking, prompting CISA to add the flaw to its Known Exploited Vulnerabilities catalog and order federal agencies to patch.
Separate investigations found the flaw was also used in targeted intrusions against government, military, MSP, and hosting-provider networks, especially in Southeast Asia, while QiAnXin XLab linked a major campaign to a long-running actor it tracks as Mr_Rot13. In that activity, attackers used automated exploitation from more than 2,000 source IPs to install SSH persistence, change root credentials, drop PHP web shells, inject fake cPanel login pages to steal credentials, exfiltrate data to attacker infrastructure and Telegram, and deploy the cross-platform Filemanager backdoor for remote command execution. Researchers also reported follow-on use of AdaptixC2, OpenVPN, Ligolo, and custom persistence tooling, as well as theft of about 4.37 GB of sensitive data, underscoring that the bug enabled both broad opportunistic compromise and more deliberate espionage-style operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
13 events from the most recent confirmed update back to the earliest known activity.
Macnica's Security Research Center reported that 194 of 1,692 publicly exposed cPanel/WHM servers in Japan had been hit with Sorry ransomware. The report was cited alongside ongoing exploitation and cPanel advisory updates.
XLab said a PHP backdoor tied to infrastructure later associated with Mr_Rot13 was uploaded to VirusTotal in 2022 and still had very low or zero detections. The sample communicated with wrned.com, supporting the researchers' long-term linkage of the actor's tooling.
QiAnXin XLab reported that infrastructure later linked to the Mr_Rot13 campaign included the domain wrned.com, which had been active since at least October 2020. Researchers cited this as evidence the actor may have operated covertly for years before the cPanel exploitation wave.
XLab said more than 2,000 attacker-controlled source IPs were conducting automated exploitation of CVE-2026-41940 worldwide. The activity was linked to cryptomining, ransomware, botnet propagation, credential theft, and backdoor installation.
QiAnXin XLab reported that threat actor Mr_Rot13 was exploiting CVE-2026-41940 to deploy a Go-based infector and the cross-platform Filemanager backdoor. The intrusion chain included root password changes, SSH key persistence, PHP web shells, credential-stealing JavaScript, and exfiltration to attacker infrastructure and Telegram.
In the Southeast Asia-linked intrusion set, attackers allegedly stole about 110 files totaling 4.37 GB, including Chinese railway-sector documents and sensitive personal data. The exfiltration followed lateral movement enabled by tools such as AdaptixC2, OpenVPN, and Ligolo.
CISA confirmed that CVE-2026-41940 was being exploited in the wild and added it to the Known Exploited Vulnerabilities catalog. The agency ordered U.S. government agencies to patch by Sunday.
XLab reported that after a Telegram interaction from user "xrill_y," the operators rotated their bot token and temporarily removed the bot from the group. Researchers cited this as evidence of active operational security by the Mr_Rot13-linked campaign.
Ctrl-Alt-Intel observed exploitation of CVE-2026-41940 against government, military, MSP, and hosting-provider networks, including activity tied to IP address 95.111.250[.]175. The campaign also involved a separate exploit chain against an Indonesian defense-sector training portal and broader intelligence-collection activity.
Researchers reported that multiple threat actors began exploiting the cPanel flaw within 24 hours of disclosure. Early post-compromise activity included Mirai-related botnet deployment and Sorry ransomware infections.
Censys reported that on May 1, 15,448 cPanel/WHM hosts were newly flagged as malicious, accounting for about 80% of the day's 19,131-host increase. The company linked the surge to exploitation activity following disclosure of CVE-2026-41940.
watchTowr Labs published technical analysis and a proof-of-concept for the critical cPanel/WHM authentication bypass vulnerability CVE-2026-41940. Multiple sources describe this disclosure as the trigger for rapid follow-on exploitation.
Reporting citing KnownHost CEO Daniel Pearson said attacks exploiting CVE-2026-41940 may have begun as early as February 23, before the vulnerability was publicly disclosed. Other coverage also noted indications the flaw may have been abused as a zero-day for weeks beforehand.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
16 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcesecurityaffairs.com
Open sourcesecpod.com
Open sourcehelpnetsecurity.com
Open sourcectrlaltintel.com
Open sourcedarkwebinformer.com
Open sourcecensys.com
Open sourcereddit.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.