
Rapid7
US cybersecurity research firm; published cPanel CVE-2026-41940 Exploit Tracker and 1.5m exposure count.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Of the 1.5 million exposed cPanel servers Rapid7 found, how many remain unpatched?
Timeline for Rapid7
Mentioned in: A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesMentioned in: SharePoint patch clock runs out today
Cybersecurity: Threats and DefencesMentioned in: WebLogic flaw revived as ransomware vector
Cybersecurity: Threats and DefencesMentioned in: Drupal SQL flaw hits PostgreSQL sites
Cybersecurity: Threats and DefencesMentioned in: LiteLLM SQL injection hits in 36 hours
Cybersecurity: Threats and DefencesHow many cPanel servers are exposed to the internet according to Rapid7?
What is Rapid7 and what does it research?
What is Rapid7 Metasploit and why do security teams use it?
Background
Rapid7 is a US-based cybersecurity company providing vulnerability management, detection, and Incident Response services, best known commercially for its Metasploit framework and InsightVM vulnerability management platform. In the cPanel CVE-2026-41940 incident, Rapid7's Exploit Tracker catalogued the vulnerability and identified approximately 1.5 million internet-exposed cPanel instances as potentially at risk.
Rapid7's research Arm, Rapid7 Labs, regularly contributes to the public record on vulnerability severity and exploitation timelines. Its exposure counts — drawn from internet-wide scanning — are widely cited by CISA, news outlets, and defenders when assessing the blast radius of critical CVEs. The company went public in 2015 and is listed on Nasdaq (RPD).
The 1.5 million figure represents internet-facing cPanel instances that could be reached without network segmentation. The actual risk depends on patch status, hosting provider response, and whether external access to the login daemon was restricted. Rapid7's data contributed to pressure on WebPros to prioritise the emergency patch and informed CISA's decision to ADD the vulnerability to KEV on 30 April 2026.