According to a recent LinkedIn post from Censys, the company’s data appears to show rapid, large-scale exploitation of a newly disclosed cPanel vulnerability, CVE-2026-41940. The post cites correlation with GreyNoise intelligence indicating that roughly 80% of newly malicious hosts observed on May 1 were running cPanel/WHM, with about 15,000 cPanel systems flagged as malicious in a single day.
Claim 55% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The post describes multiple active attack paths, including Mirai-based botnet deployment and ransomware campaigns that encrypt files with a “.sorry” extension. It also notes observations of thousands of exposed directories serving encrypted files, which is presented as evidence of automated exploitation activity and is accompanied by a recommendation that organizations assume active exploitation and patch immediately.
For investors, the post suggests that Censys is closely tracking emerging vulnerabilities and is able to surface near real-time threat telemetry tied to widely used infrastructure software. This capability may reinforce the company’s positioning in the threat intelligence and attack-surface management markets, potentially supporting demand for its data and analytics among enterprise and service-provider customers.
The rapid spike in malicious cPanel activity, if sustained, could increase the perceived urgency of investing in external attack-surface visibility and threat intelligence solutions. In that context, Censys’s role in highlighting early exploitation trends may enhance its relevance in security budgets, although the post does not provide any direct financial metrics or guidance related to this activity.