Shodan
Internet-exposure search engine; provided the 1.5 million exposed cPanel count cited in CVE-2026-41940 analysis.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Can attackers use Shodan to find all 1.5 million unpatched cPanel servers right now?
Timeline for Shodan
Provided telemetry quoted by Rapid7 counting roughly 1.5 million exposed cPanel instances
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active- What is Shodan and why do hackers use it?
- Shodan is a search engine that indexes internet-connected devices by scanning open ports and service banners. Security researchers use it for asset discovery; threat actors use it to locate vulnerable systems at scale, including during campaigns like the cPanel CVE-2026-41940 exploitation.
- How does Shodan know about 1.5 million cPanel servers?
- Shodan continuously scans the public internet and indexes service banners. cPanel servers expose identifiable fingerprints on standard ports; Shodan's count of approximately 1.5 million represents internet-reachable instances as of the scan date.Source: Rapid7 / Shodan
- How does Shodan scan the internet without permission?
- Shodan scans publicly reachable IP addresses and ports using standard network probes, cataloguing service banners and certificates that systems broadcast openly. No authentication is required to scan public addresses; Shodan does not access private networks or bypass security controls.Source: Shodan
- Should organisations monitor their own Shodan exposure?
- Yes. Regulatory guidance and security frameworks increasingly require organisations to check their Shodan exposure as basic cyber hygiene. CISA references Shodan data in vulnerability advisories; knowing what Shodan shows about your infrastructure is the first step in reducing your public attack surface.Source: CISA
Background
Shodan is a search engine that indexes internet-connected devices and services, providing security researchers, defenders, and threat actors with visibility into exposed systems. It scans the public internet continuously, cataloguing open ports, service banners, certificates, and software versions. In the cPanel CVE-2026-41940 incident, Shodan data underpinned the approximately 1.5 million exposed cPanel instance count cited by Rapid7 and others.
Founded by John Matherly in 2009, Shodan operates as a commercial service with free and paid tiers. It indexes devices ranging from web servers and industrial control systems to routers, cameras, and medical equipment. The platform is used extensively by security teams for asset discovery and by researchers to estimate vulnerability blast radii — as in the cPanel incident. It is also used by threat actors to locate vulnerable systems at scale.
Shodan's data is deliberately passive (it scans publicly reachable services, not internal networks) and legally accessible, though its use raises dual-use concerns. Regulatory frameworks increasingly require organisations to monitor their own Shodan exposure as part of basic cyber hygiene. CISA references Shodan data in its own vulnerability advisories.