A critical vulnerability, CVE-2026-41940, within cPanel and WebHost Manager (WHM) is currently under active exploitation by a threat actor known as Mr_Rot13, who is leveraging the flaw to deploy a sophisticated backdoor codenamed 'Filemanager' on compromised servers. This vulnerability enables an authentication bypass, allowing remote attackers to circumvent standard security protocols and achieve elevated control over affected systems1. The active exploitation circumvents protective measures, granting unauthorized administrative access and facilitating the installation of the 'Filemanager' backdoor, which could persist on the system for long-term access and control. This means an attacker can effectively take over the control panel, managing websites and server configurations. The documented attacks, observed around mid-May 2026, confirm in-the-wild weaponization of CVE-2026-41940. Organizations operating cPanel and WHM environments must prioritize immediate patching and conduct thorough forensic investigations for indicators of compromise, as this vulnerability significantly expands the active attack surface for administrative interfaces.