A newly disclosed cPanel vulnerability is being exploited at scale, giving attackers a route into web hosting environments that many enterprises may not monitor closely. Analysts say the risk highlights weak visibility into hosting supply chains.
The flaw, tracked as CVE-2026-41940, has been used to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems, according to researchers at XLab. The researchers linked some of the activity to a long-running threat group they call Mr_Rot13.
For CISOs, the worry is not just the bug, but where it sits. cPanel and similar tools often operate at the edge of the enterprise, managing websites, portals, and hosted applications. If they are exposed to the internet and not monitored with the same rigor as endpoints, cloud workloads, or core business systems, they can become attractive entry points for attackers.
“This is a classic aggregator-level attack: instead of targeting individual companies, threat actors compromise the centralized management layer that aggregates hundreds of unrelated tenants on the same server,” said Sunil Varkey, a cybersecurity analyst.
XLab said exploitation began after the vulnerability was publicly disclosed in late April. The researchers observed more than 2,000 attacker source IPs involved in automated attacks. The activity included cryptomining, ransomware deployment, botnet propagation, backdoor installation, and data theft, suggesting the flaw has drawn broad attacker interest.
Varkey said security researchers estimate that more than 40,000 servers may have been at risk in the initial wave alone.
“The speed and scale of exploitation after CVE-2026-41940’s disclosure should tell CISOs that internet-facing control panels are now high-priority exploitation targets, not just administrative utilities,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services.
Keith Prabhu, founder and CEO of Confidis, said the speed of exploitation shows that internet-facing management planes now have little to no grace period once a critical authentication-bypass flaw becomes public.
Distributed scanning infrastructure and botnets have made attack automation easier to scale, he said, increasing the chances that high-impact flaws will be exploited soon after disclosure.
Mr_Rot13 has operated with a low detection rate for about six years, according to XLab. Its tooling includes a cross-platform remote control program, PHP webshells, JavaScript credential stealers, and components designed to collect SSH data, bash history, database passwords, and cPanel virtual aliases.
“Many organizations have improved visibility across endpoints, cloud workloads, and SaaS platforms, but shared hosting, control panels, web shells, and Linux administrative layers are still often treated as operational infrastructure rather than high-risk attack surfaces,” Grover said.
Grover added that the gap is also about whether the right tools are watching this layer at all. Many security products are not deployed or tuned for cPanel-layer activity, which can leave even mature security teams with limited visibility into the hosting control plane.
The enterprise risk may extend beyond organizations that directly run cPanel. Many companies rely on hosting providers, managed service providers, marketing agencies, and external web teams to operate public-facing sites, customer portals, microsites, and application infrastructure. That can make exposure difficult to identify when security teams do not have direct visibility into the hosting stack.
Steps for security teams
Security teams should first determine whether any internet-exposed cPanel servers were accessible during the exploitation window, Varkey said.
The response should go beyond applying the vendor fix, including credential rotation, checks for unauthorized SSH keys, webshell hunting, review of anomalous processes, and signs that attackers modified login pages or planted persistence mechanisms.
Prabhu said organizations should treat potential exposure as an incident response matter, not just a patch management task. A review should include session and authentication logs, persistence hunting, identity and credential checks, web application compromise analysis, and correlation of logs and telemetry, he said.
Security teams should pay particular attention to data exfiltration channels that may not be covered by standard monitoring tools, according to Grover.
Organizations should also review hosted website content for injected scripts and examine outbound traffic for Telegram-based exfiltration, Grover said. The campaign has reportedly used Telegram to route stolen data, including bash history, SSH credentials, database passwords, and cPanel aliases, which may not be flagged by standard data-loss prevention or egress monitoring tools.
For internet-facing management systems, patching timelines can no longer be measured in days. Security teams need to move within hours, Varkey said.
No Responses