OrganisationSG

WatchTowr

Singapore offensive-security firm; CVE early-warning data cited by CISA and NCSC.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

How early did WatchTowr detect CitrixBleed 3 exploitation attempts?

Timeline for WatchTowr

#330 Apr

Disclosed CVE-2026-41940 and provided exploitation telemetry

Cybersecurity: Threats and Defences: cPanel zero-day ran 65 days before patch; Sorry ransomware active

#123 Mar

Detected active reconnaissance of CVE-2026-3055 in the wild

Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML broker

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Did anyone spot CitrixBleed 3 being exploited before Citrix issued a fix?: WatchTowr detected active reconnaissance against CVE-2026-3055 in the wild ahead of mass exploitation; CISA added the CVE to its KEV catalogue on 28 March 2026 confirming active exploitation.Source: WatchTowr / CISA
What does WatchTowr do?: WatchTowr is a Singapore-based offensive security firm providing attack-surface monitoring and CVE exploitation research. Its WatchTowr Labs division publishes early exploitation telemetry that feeds into CISA KEV updates and national CERT advisories, often arriving before vendor patches.
What is the cPanel zero-day WatchTowr discovered in 2026?: WatchTowr Labs disclosed CVE-2026-41940, a CRLF injection in cPanel's cpsrvd login daemon (CVSS 9.8), allowing unauthenticated session hijacking to root. Exploitation dated to 23 February was confirmed, making it a 65-day zero-day window before the 28 April patch.Source: WatchTowr Labs

Background

WatchTowr confirmed active reconnaissance against CVE-2026-3055 (CitrixBleed 3) in the wild ahead of mass exploitation, making it the primary early-warning data point cited in CISA and NCSC advisories on the vulnerability. The firm is known for proactive scanning of internet-facing enterprise infrastructure and has published early exploitation data on several high-profile Citrix and edge-device CVEs.

Founded in Singapore and operating across the Asia-Pacific and European enterprise markets, WatchTowr provides attack-surface monitoring and offensive security research. Its public CVE disclosures and exploitation-activity reports are regularly cited by CISA's KEV catalogue updates and by national CERTs including the UK's NCSC.

In May 2026, WatchTowr Labs (the research division) disclosed CVE-2026-41940, a CRLF injection vulnerability in the cPanel cpsrvd login daemon (CVSS 9.8) that allows unauthenticated session hijacking to root. WebPros shipped an emergency patch on 28 April; CISA added the flaw to KEV on 30 April. KnownHost telemetry confirmed exploitation dating to 23 February — a 65-day true zero-day window during which 'Sorry' ransomware was deployed on compromised hosts. The cPanel disclosure, following the CitrixBleed 3 early-warning, establishes WatchTowr Labs as a consistent source of pre-patch exploitation telemetry that supplements vendor advisories and national CERT feeds. For enterprise security teams, these disclosures represent a practical early-warning layer ahead of KEV formal publication.

How the World Sees Them

Citrix

Third-party exploitation telemetry arriving before vendor confirmation puts pressure on vendors to accelerate advisory timelines.

CISA / NCSC

WatchTowr reconnaissance data is cited in advisories as corroborating evidence of active exploitation, establishing independent research firms as part of the official threat-advisory chain.

Enterprise defenders

Independent scan data from firms like WatchTowr fills the gap between vendor advisories and actual exploitation; organisations are building these sources into their threat-intel feeds.