
Shodan
Internet-exposure search engine; provided the 1.5 million exposed cPanel count cited in CVE-2026-41940 analysis.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Can attackers use Shodan to find all 1.5 million unpatched cPanel servers right now?
Timeline for Shodan
Provided telemetry quoted by Rapid7 counting roughly 1.5 million exposed cPanel instances
Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware activeWhat is Shodan and why do hackers use it?
How does Shodan know about 1.5 million cPanel servers?
How does Shodan scan the internet without permission?
Background
Shodan is a search engine that indexes internet-connected devices and services, providing security researchers, defenders, and threat actors with visibility into exposed systems. It scans the public internet continuously, cataloguing open ports, service banners, certificates, and software versions. In the cPanel CVE-2026-41940 incident, Shodan data underpinned the approximately 1.5 million exposed cPanel instance count cited by Rapid7 and others.
Founded by John Matherly in 2009, Shodan operates as a commercial service with free and paid tiers. It indexes devices ranging from web servers and industrial control systems to routers, cameras, and medical equipment. The platform is used extensively by security teams for asset discovery and by researchers to estimate vulnerability blast radii — as in the cPanel incident. It is also used by threat actors to locate vulnerable systems at scale.
Shodan's data is deliberately passive (it scans publicly reachable services, not internal networks) and legally accessible, though its use raises dual-use concerns. Regulatory frameworks increasingly require organisations to monitor their own Shodan exposure as part of basic cyber hygiene. CISA references Shodan data in its own vulnerability advisories.