Exposure Scanner Update: CVE Scanning,
SIEM Integrations, and cPanel CVE-2026-41940

Back to Blog

We just shipped a large update to Flowtriq. Two things converged: a critical vulnerability in cPanel that's been exploited in the wild since February, and feedback from SOC teams and network operators asking for native SIEM and IDS/IPS integrations. Both are live now.

This post covers what changed, why it matters, and what's technically happening under the hood.

The cPanel CVE-2026-41940 Background

The vulnerability is a CRLF injection flaw in cPanel's session handling layer. An unauthenticated attacker can inject arbitrary session properties — including user=root — into the session store by embedding carriage-return/linefeed sequences in the Authorization header of the login request. No credentials, no prior account, no user interaction. Full root access on cPanel/WHM hosts exposed on the standard ports (2082/2083/2086/2087).

Approximately 1.5 million cPanel instances are internet-exposed. The vulnerability was being exploited as a zero-day for at least two months before cPanel shipped patches on April 28, 2026 across eight branches:

• 11.86.0.41+
• 11.110.0.97+
• 11.118.0.63+
• 11.126.0.54+
• 11.130.0.19+
• 11.132.0.29+
• 11.134.0.20+
• 11.136.0.5+

If you're running any earlier build on these branches, or any build on an unlisted branch, your server is vulnerable. To patch: upcp --force from root SSH, or go to WHM → cPanel Store → Upgrade to Latest Version.

We also built a free passive scanner that checks any public-facing cPanel/WHM host against the patched build table — no exploit code, just a version read from the login page.

What Is the Flowtriq Exposure Scanner?

The Exposure Scanner is a module inside the Flowtriq dashboard that runs security checks against your nodes — the same servers you're monitoring for DDoS. Rather than just watching for attack traffic, it actively interrogates each node's externally-visible surface: open ports, running services, TLS configuration, exposed admin panels, and now, known CVEs in detected software.

It produces a scored report (0–100, graded A–F) per node, with per-finding severity ratings (Critical / Warning / Info / Pass), actionable remediation steps, and a full history so you can track improvement over time. Each finding includes a description of what was detected, why it matters, and what to do about it.

The scanner runs from our infrastructure against your node's public IP. It does not require the Flowtriq agent. You can trigger it manually or let it run on a configurable schedule.

What We Shipped Today

CVE Detection — 10 Active Checks

The biggest addition: the Exposure Scanner now includes a CVE detection category that runs passive version fingerprinting against 10 common server-side software packages and compares detected versions against known vulnerable ranges.

The 10 checks currently running:

• cPanel/WHM — CVE-2026-41940 (CVSS 9.8): Unauthenticated authentication bypass. Checks the cPanel login page version string against the patched build table across all eight supported branches.
• OpenSSH — regreSSHion (CVE-2024-6387) (CVSS 8.1): Signal handler race condition allowing unauthenticated remote code execution. Checks for vulnerable 8.5p1–9.7p1 range via banner grab.
• Apache — Path Traversal (CVE-2021-41773 / CVE-2021-42013) (CVSS 9.8 / 7.5): Directory traversal and RCE in Apache 2.4.49–2.4.50. Fingerprints via Server header.
• PHP — CGI Argument Injection (CVE-2024-4577) (CVSS 9.8): PHP CGI on Windows allows arbitrary code execution via argument injection in FastCGI mode. Checks PHP version banner.
• Exim — 21Nails (CVE-2020-28017 through -28026) (CVSS 9.8): 21 vulnerabilities in Exim MTA including RCE and privilege escalation. Reads SMTP banner for version comparison.
• ProFTPD — Heap Overflow (CVE-2023-48795) (CVSS 5.9): SFTP Terrapin attack prefix truncation. Checks FTP banner version.
• Apache ActiveMQ — RCE (CVE-2023-46604) (CVSS 10.0): Deserialization RCE via ClassInfo frame. Detected by ActiveMQ protocol banner on port 61616.
• Redis — Unauthenticated (no CVE): Checks whether port 6379 accepts unauthenticated commands. Not a CVE but a common misconfiguration that has led to mass compromise via cron/SSH key injection.
• WordPress — Version Disclosure: Detects publicly exposed WordPress version via readme.html or generator meta tag. Older WP installs carry numerous RCE/XSS CVEs.

All checks are passive — we read version banners, HTTP headers, and login page content. No exploit payloads, no credential attempts, no session modification. If software isn't detected on the expected port, the check is skipped cleanly.

Email Notifications on Critical Findings

When a scan completes and finds Critical or Warning findings, all workspace members with Analyst access or above receive an email summary. The email includes the node name, overall score and grade, a count of critical/warning/info/pass findings by category, and a direct link to the full scan results in the dashboard.

This means you don't have to remember to run scans — run them on a schedule, and you'll hear about it if something's wrong.

Scheduled Automatic Rescans

You can now configure a per-workspace automatic rescan interval directly from the dashboard: Daily, Every 3 days, Weekly (default), Every 2 weeks, or Monthly. The scheduled rescan picks up all active nodes in the workspace, skips any node with a scan already in progress, and fires notifications if anything critical turns up.

Combined with the CISA KEV daily sync (see below), this means new CVE definitions can be added and your existing nodes will be rescanned against them on their next scheduled interval — without any manual action.

CISA KEV Daily Sync

We added a daily job that pulls from the CISA Known Exploited Vulnerabilities catalog and flags any entries relevant to server-side software. If a new KEV entry matches a CVE we have a detection signature for, it gets flagged internally and the team receives an email — so new actively-exploited vulnerabilities get scanner coverage quickly.

11 New Threat Feeds

The threat intelligence feed list expanded with 11 new sources:

• Emerging Threats Tor exit nodes
• FireHOL Level 1 and Level 2 (composite attack feed)
• CINS Score (active botnet C2 and scanner IPs)
• BruteForce Blocker (SSH/FTP brute force sources)
• BotScout (bot registration patterns)
• Maltrail malicious infrastructure list
• Abuse SSL blocklist (C2 over SSL)
• Mirai Tracker (active Mirai C2 infrastructure)
• Darklist.de (spam and attack sources)

Dashboard UI Improvements

The Exposure Scanner dashboard view got a set of improvements that make large scan results easier to work with:

• SVG score ring: Each node now shows a circular progress ring that fills based on score and changes color (green/yellow/orange/red) based on grade.
• Filter pills with counts: One-click filters for Critical / Warning / Info / Pass findings, showing the count for each so you can quickly focus on what matters.
• Collapsible categories: Findings are grouped by category (TLS, open ports, admin panels, CVEs, etc.) and each category can be collapsed independently. Large reports are now much easier to navigate.
• Relative timestamps: Scan dates show as "2 hours ago" or "3 days ago" with ISO timestamp on hover.
• Sort bar: Sort findings by severity, category, or check name.

New SIEM and IDS/IPS Integrations

The second major part of this update: native integrations for SIEM platforms and IDS/IPS tools. These are live now in the dashboard under Integrations.

SIEM Integrations

Splunk HEC: Sends incident events (attack_start and attack_end) directly to your Splunk HTTP Event Collector. Configure the HEC endpoint URL, token, target index, and sourcetype (flowtriq:incident by default). Works with both on-prem Splunk and Splunk Cloud.

Elasticsearch / OpenSearch: Indexes each incident as a document in a configurable index using the _doc API. Authentication is via Elasticsearch API keys (base64-encoded, generated from Kibana or the security API). OpenSearch is fully compatible. Each document includes @timestamp, severity, attack family, peak PPS/BPS, node details, and source IP count.

Microsoft Sentinel: Uses the Log Analytics HTTP Data Collector API with SharedKey HMAC-SHA256 authentication — no Azure AD app registration required. Paste your Workspace ID and Primary Key from Azure Portal → Log Analytics Workspaces → Agents. Incidents appear in a custom table named FlowtriqIncidents_CL in Sentinel.

Syslog CEF: Sends incidents as RFC 3164 syslog messages in Common Event Format (CEF) via UDP or TCP. CEF is the universal format understood by IBM QRadar, Micro Focus ArcSight, LogRhythm, FortiSIEM, and most other enterprise SIEMs. One integration, broad compatibility.

Wazuh: Forwards incidents as JSON syslog messages to the Wazuh manager's remote syslog receiver on port 514 (configurable). The JSON payload includes rule_id, rule_level, attack family, peak PPS/BPS, and node details — structured for Wazuh decoder rules. A sample decoder is provided in the integration configuration panel.

MISP: Creates a MISP threat intelligence event when an incident resolves, including attacker source IPs as ip-src IOCs (flagged for threat intel export), the target node as ip-dst, attack family and metrics as text attributes, and a link back to the Flowtriq incident. Configurable distribution level (org-only through all communities) and optional auto-publish.

All SIEM integrations include a Test button that fires a synthetic test event so you can verify connectivity and credentials before an attack happens.

IDS/IPS Export Feeds

In addition to the real-time push integrations, we've added two pull-based export feeds for IDS/IPS tools:

Suricata / Snort Rules: A token-authenticated endpoint that generates a .rules file of DROP rules for high-confidence DDoS source IPs detected in your recent incidents. The output is compatible with Suricata 7.x and Snort 3.x. Configure your IDS to pull the URL on a schedule (e.g., via cron every 15 minutes) to keep the blocklist current.

# Example output
drop ip 198.51.100.1 any -> any any (msg:"Flowtriq: DDoS source 198.51.100.1 (syn_flood) on prod-node [incident #1234]"; sid:9001001; rev:1;)
drop ip 203.0.113.42 any -> any any (msg:"Flowtriq: DDoS source 203.0.113.42 (udp_flood) on prod-node [incident #1234]"; sid:9001002; rev:1;)

Zeek Intel Feed: A tab-separated Zeek Intelligence Framework feed (Intel::ADDR type) for the same set of attacker IPs. Load it via Intel::read_files in your Zeek policy to trigger notices on attacker IP sightings in future traffic.

#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
#types	string	string	string	string	string	bool
198.51.100.1	Intel::ADDR	Flowtriq	DDoS source (syn_flood) — incident #1234	https://flowtriq.com/...	T

Both endpoints accept a days parameter (lookback window, default 7, max 90) and a confidence parameter (minimum IP confidence score, default 50%). Authenticate with any active API key from Settings → API Keys via ?token= or Authorization: Bearer header.

How the CVE Scanner Integrates with the Rest of the Platform

The exposure scanner and the DDoS detection engine were already on the same platform — now they're more connected. When a CVE scan turns up a critical finding like an unpatched cPanel server, the same node is being monitored for DDoS traffic. If someone exploits CVE-2026-41940 to gain root access and then installs DDoS tooling, you're not just seeing it in the exposure scanner — you're seeing the subsequent attack traffic, the outbound connections, the unusual bandwidth patterns.

This is the model we're building toward: perimeter exposure detection feeding context into traffic anomaly detection. The exposure scanner tells you where you're vulnerable. The DDoS detection tells you when those vulnerabilities are being actively leveraged. Combined with the SIEM integrations, both data streams go into your existing security tooling for correlation.

What's Next

A few things in flight:

• More CVE signatures — particularly for Citrix, Fortinet, and Palo Alto edge devices which are heavily targeted in network-adjacent attacks
• Attack correlation between CVE findings and incident data (e.g., flagging when a node with a critical CVE finding subsequently receives an attack)
• STIX/TAXII export for MISP and threat intel sharing
• Additional IDS/IPS integrations: Palo Alto Panorama, Fortinet FortiGate

If you're running cPanel, check your version now. If you're running a SOC or network operations team and want DDoS events flowing into your SIEM, the integrations are available under Dashboard → Integrations.