Rapid7
US cybersecurity research firm; published cPanel CVE-2026-41940 Exploit Tracker and 1.5m exposure count.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Of the 1.5 million exposed cPanel servers Rapid7 found, how many remain unpatched?
Timeline for Rapid7
cPanel zero-day ran 65 days before patch; Sorry ransomware active
Cybersecurity: Threats and Defences- How many cPanel servers are exposed to the internet according to Rapid7?
- Rapid7's Exploit Tracker identified approximately 1.5 million internet-exposed cPanel instances at risk from CVE-2026-41940, which allowed unauthenticated session hijacking to root.Source: Rapid7
- What is Rapid7 and what does it research?
- Rapid7 is a US cybersecurity company known for Metasploit and vulnerability management products. Its research Arm publishes exposure counts, exploit trackers, and vulnerability analysis used by defenders and regulators.
- What is Rapid7 Metasploit and why do security teams use it?
- Metasploit is an open-source penetration testing framework maintained by Rapid7 that provides a library of known exploits for testing network and system security. Security teams use it in authorised red-team exercises to identify vulnerabilities before attackers do.Source: Rapid7
- How did Rapid7 calculate that 1.5 million cPanel servers were exposed?
- Rapid7's Exploit Tracker combined its own internet-wide scanning with Shodan data to identify approximately 1.5 million internet-reachable cPanel instances. The figure represents servers whose cPanel login daemon was accessible without network segmentation at the time of the scan.Source: Rapid7
Background
Rapid7 is a US-based cybersecurity company providing vulnerability management, detection, and Incident Response services, best known commercially for its Metasploit framework and InsightVM vulnerability management platform. In the cPanel CVE-2026-41940 incident, Rapid7's Exploit Tracker catalogued the vulnerability and identified approximately 1.5 million internet-exposed cPanel instances as potentially at risk.
Rapid7's research Arm, Rapid7 Labs, regularly contributes to the public record on vulnerability severity and exploitation timelines. Its exposure counts — drawn from internet-wide scanning — are widely cited by CISA, news outlets, and defenders when assessing the blast radius of critical CVEs. The company went public in 2015 and is listed on Nasdaq (RPD).
The 1.5 million figure represents internet-facing cPanel instances that could be reached without network segmentation. The actual risk depends on patch status, hosting provider response, and whether external access to the login daemon was restricted. Rapid7's data contributed to pressure on WebPros to prioritise the emergency patch and informed CISA's decision to add the vulnerability to KEV on 30 April 2026.