Patch Lag Index, day one — Iceland’s Shodan-confirmed CVE count is zero
Across seven KEV-listed CVEs tracked daily on Shodan, the Shodan-confirmed-vulnerable host count for Iceland is zero. Banner-fingerprint detection finds Icelandic hosts running cPanel, ActiveMQ, FortiClient EMS and a few others — but Shodan’s vulnerability database does not flag any of them as still vulnerable. That is either a clean patch story or an opacity story; the data alone cannot tell the difference. What it does tell us is more nuanced than the headline we first reached for.
- Confirmed-vulnerable hosts in Iceland: 0 across all seven tracked CVEs. Sweden has 33 confirmed-unpatched cPanel hosts of 3,862 banner-matches (0.85%) — the only Nordic country with non-zero confirmed counts. Iceland’s zero is either a clean patch story or banner suppression; the data cannot distinguish.
- Banner-fingerprint counts tell a different and noisier story. Iceland has 242 hosts running cPanel/WHM (63.7 per 100K residents) and 11 hosts with the ActiveMQ admin port 8161 exposed. These are deployment-density signals, not patch-status signals.
- The dashboard now shows only Confirmed counts. The original per-capita banner percentages produced misleading headlines like “FortiClient EMS +1,509%” on what was actually 1 Iceland host vs 2 Nordic. Confirmed-vulnerable is the truth-tracking metric; banner counts are deployment-tracking metrics. Mixing them headlines noise as signal.
- The Iceland 1-host FortiClient EMS detection is patched. Tracked down to a single ASN; the version banner reads
7.2.4.0983, and the affected range for CVE-2026-21643 is7.4.4only. Shodan’s confirmed-count of 0 was correct. - Iceland is sparser on Ivanti EPMM, GitLab, VMware Aria and Cisco FMC — enterprise products with smaller Iceland market footprint, not security strength.
- Methodology:
/shodan/host/countdaily, $0/month cost, aggregate counts only (no individual IPs published in the public dashboard or articles).
The seven CVEs on day one
The Patch Lag Index dashboard tracks seven KEV-listed CVEs daily across Iceland and the four Nordic neighbour countries (Denmark, Norway, Sweden, Finland). The first day of data, on two metrics:
| CVE | Product | CVSS | IS banner | IS confirmed | Nordic confirmed (avg) |
|---|---|---|---|---|---|
CVE-2026-41940 | cPanel/WHM | 9.8 | 242 | 0 | 6.8 (Sweden 33) |
CVE-2026-34197 | Apache ActiveMQ | 8.8 | 11 | 0 | 0 |
CVE-2026-21643 | FortiClient EMS 7.4.4 | 9.8 | 1 | 0 | 0 |
CVE-2026-2370 | GitLab | 8.1 | 6 | 0 | 0 |
CVE-2026-1340 | Ivanti EPMM | 9.8 | 1 | 0 | 0 |
CVE-2026-22719 | VMware Aria Operations | 8.1 | 0 | 0 | 0 |
CVE-2026-20131 | Cisco Secure FMC | 10.0 | 0 | 0 | 0 |
Iceland is at zero on Shodan-confirmed-vulnerable across all seven. The single Nordic non-zero is Sweden with 33 confirmed-vulnerable cPanel/WHM hosts (0.85% of the 3,862 banners they have). Banner counts in Iceland are non-trivial in two cases — 242 cPanel hosts and 11 ActiveMQ admin ports — but the banner is “product is running here”, not “product is vulnerable here.”
An earlier version of this article led with banner-prevalence per-capita ratios (“Iceland +128% vs Nordic on cPanel”, “+1,509% on FortiClient EMS”). Those numbers are accurate but they conflate deployment density with patch status. The +1,509% in particular came from one Iceland host vs two Nordic hosts — a statistical artifact on tiny counts. The dashboard now shows only Confirmed counts to avoid this noise. The banner counts are still tracked and visible in the methodology table above for context.
cPanel/WHM: 242 Iceland banners, zero confirmed-vulnerable
cPanel is the dominant web hosting control panel in the small-to-medium hosting market. Every Icelandic shared-hosting provider runs cPanel on some portion of their fleet. Shodan banner detection finds 242 Iceland hosts with the cPanel HTTP title — deployment-density that puts Iceland between Finland (3,681 hosts) and Sweden (3,862) on a per-capita basis.
Of those 242 hosts, Shodan’s vuln:CVE-2026-41940 filter confirms zero as still vulnerable. That is what we have for Iceland on this CVE: 0/242. Two interpretations are possible and the data alone cannot distinguish:
- Patched: the operators have applied the WebPros patch or are on a version unaffected by CVE-2026-41940. KEV listing was 30 April; six days later, a clean confirmed-count is plausible if Iceland’s hosting providers patched promptly.
- Banner suppressed: cPanel installations can be configured to hide the version string in HTTP headers. A host with version-suppression would be vulnerable but not detectable as such by Shodan. This is a defensible security configuration that has the side-effect of making external vulnerability tracking impossible.
Sweden, by comparison, has 33 confirmed-vulnerable hosts out of 3,862 banner-matches. The other three Nordic countries are at zero. Iceland could be either “cleaner than Sweden” or “less detectable than Sweden” — same data point.
CVE-2026-41940 is KEV-listed, CVSS 9.8, KEV-added 30 April 2026. Public reporting (Bleeping Computer, The Hacker News) has documented over 40,000 servers compromised globally in the days following KEV-listing. Every Icelandic cPanel/WHM operator should confirm patch deployment — see WebPros’ official security advisory for the fixed version. The 0/242 number is reassuring but not a substitute for verifying patch state on your own fleet.
Apache ActiveMQ: 11 admin ports exposed, zero confirmed-vulnerable
Apache ActiveMQ is a Java-based message broker for asynchronous communication between applications. CVE-2026-34197 is a code injection vulnerability (CVSS 8.8, KEV-added 16 April) that allows remote code execution through unsafe input validation. Iceland has 11 hosts with port 8161 open — the default ActiveMQ admin web console.
Confirmed-vulnerable count: 0. The 11 hosts run ActiveMQ but Shodan does not flag any of them as still vulnerable to CVE-2026-34197. As with cPanel, that could mean patched or banner-suppressed.
What makes the 11 worth flagging anyway: ActiveMQ admin port 8161 should never be Internet-exposed regardless of patch status. It is designed for internal-only network reachability behind firewalls. Eleven Icelandic hosts with port 8161 reachable from the public Internet are exposing their admin console — even if authentication is configured strictly, the port-exposure itself is a red flag for compliance review (NIS2-relevant for any operator running message-bus infrastructure for critical or important services).
Nordic comparison: Sweden has 340 hosts with port 8161 exposed (3.22 per 100K), Finland 104 (1.87). All Nordic countries show zero Shodan-confirmed-vulnerable on this CVE. The exposed-admin-port concern is independent of the CVE patch status.
Iceland sparser: Ivanti EPMM, GitLab, VMware Aria, Cisco FMC
The four CVEs where Iceland shows lower per-capita density than its neighbours are all enterprise products with limited Icelandic market footprint:
- Ivanti EPMM (CVE-2026-1340): Iceland 1 host, Sweden 6,655 hosts (16.24 per 100K). EPMM is enterprise mobile device management. Iceland's single host suggests Icelandic enterprises have not adopted this category — expected given the smaller Icelandic enterprise market, and a positive from a security perspective (smaller attack surface).
- GitLab (CVE-2026-2370): Iceland 6 hosts, Sweden 235. Per-capita 1.58 vs Nordic 4.72. Iceland likely uses hosted GitLab.com and GitHub more than self-hosted GitLab — positive from a security standpoint, since hosted services patch themselves.
- VMware Aria Operations (CVE-2026-22719): Iceland 0 hosts. Niche IT-operations management product, low deployment scale across all five countries.
- Cisco Secure FMC (CVE-2026-20131): Iceland 0, Nordic 0. Cisco FMC is generally not Internet-exposed in standard deployments.
Methodology and limitations
Two metrics, distinct meanings:
- Banner detection (Shodan
http.title:,port:, etc.): the host is running the affected product. Says nothing about whether it is currently vulnerable. A patched host can still match the banner. - Confirmed-vulnerable (Shodan
vuln:CVE-X): Shodan’s vulnerability database matched the host’s banner version against known-vulnerable releases. Says “this host’s observable banner version is in the affected range.” Does not see hosts where the version banner is suppressed.
The dashboard now leads with Confirmed counts. An earlier iteration (and an earlier version of this article) presented per-capita banner ratios as the headline metric. That conflated deployment density with patch status, and produced misleading numbers like “Iceland +1,509% on FortiClient EMS” from a 1-vs-2-host base. We tracked that single Iceland banner to a specific ASN running version 7.2.4 — and the affected version range for CVE-2026-21643 is 7.4.4 only. The host was never vulnerable. Lesson absorbed: the headline metric must be the truth-tracking one.
Cycle time: Daily snapshot at 06:00 UTC. Time-series trends require 5-10 days of data accumulation before patch progression becomes visible in the dashboard.
Aggregation only: No individual IPs are published in the public dashboard or articles. No hostnames, ASNs, or organization names. Per-(CVE × country) totals only — consistent with GDPR norms and avoiding public-shaming risk. (Per-ASN data exists in the underlying database for the editorial team to investigate specific findings; it is not exposed via public API.)
Iceland-allocated vs Iceland-physical: Shodan’s country:IS filter reports hosts on Iceland-allocated CIDRs. Some of those hosts are physically located in other countries via sub-allocation (e.g., FlokiNET ehf operates infrastructure in Romania on Iceland-allocated IP space). Per-capita normalization against Iceland population can therefore over- or under-state truly Iceland-physical infrastructure.
Cost: $0/month. Shodan’s /host/count endpoint consumes no query credits even on the free dev tier.
What to do with this
Three audiences may find this useful:
Sysadmin running cPanel:
- Confirm the patch is deployed across all WHM hosts per WebPros’ official advisory for CVE-2026-41940.
- Audit port 2083/2087 firewall configuration — public Internet vs VPN-only.
- Banner suppression: cPanel installations support hiding the version string in HTTP headers. Many deployments leave the default banner, but it can be suppressed via configuration.
Sysadmin running ActiveMQ:
- Default admin port 8161 should never be public-Internet-exposed. Restrict by firewall, VPN, or service mesh.
- Confirm authentication strict mode is enabled.
- Apply the patched ActiveMQ release per Apache’s security advisory for CVE-2026-34197.
CISO or compliance officer:
- Per-capita normalization gives a fairer Nordic comparison than absolute counts. Iceland’s small-population effect masks meaningful exposure differences in either direction.
- NIS2-relevant: both cPanel and ActiveMQ are in scope if they support critical or important services.
- This is a continuous metric — daily updates are available at
https://news.1881.is/api/patch-lag/indexfor SIEM ingestion.
What is next
Patch Lag Index is on day one. Planned updates:
- Time-series charts when 5+ days of data accumulate (sparkline per CVE row).
- Auto-publish news entries when Iceland confirmed-vulnerable count moves from zero (rather than when banner-prevalence percentages spike, the previous threshold trigger).
- Automated tracker expansion as new KEV-listed CVEs land with banner-trackable signatures and nonzero Iceland baselines.
- Patch-progress tracking via Shodan’s vuln-confirmed counts as they evolve over weeks following CVE publication. With the dashboard now reading off Confirmed counts directly, this becomes the primary dataset rather than a secondary annotation.
JSON endpoints /api/patch-lag/{current,index,timeseries/<cve>} serve the same data for ingestion into other tools. Aggregate counts only.
One day of data, two metrics, one revised dashboard
This is the first day of Patch Lag Index data, and the day-one analysis is also the day on which we revised the dashboard’s headline metric. The original framing — per-capita banner ratios — gave us alarming-sounding numbers that did not represent patch status. The revised framing — Shodan-confirmed-vulnerable counts as the primary metric — is more honest but also less dramatic. Iceland’s confirmed-vulnerable count is zero across all seven tracked CVEs. Sweden has 33 on cPanel. Everyone else is at zero too.
The data alone cannot tell us whether Iceland’s zero is a clean patch story or a banner-suppression story. Operationally, those two readings have very different implications: in the first, your fleet is up to date; in the second, your fleet might be vulnerable but Shodan cannot see it — and neither can adversaries who rely on the same banner-fingerprinting techniques. Both are defensible, both have trade-offs, and both produce the same external observable.
What we can say with confidence is what we walked back: there is no “Iceland over-exposed per-capita on cPanel and ActiveMQ” story when read against confirmed-vulnerable counts. There is a deployment-density story (Iceland and Finland have more cPanel hosts per capita than the other Nordics), but that is a market-shape observation, not a security finding. The revised dashboard reflects this. Patch Lag Index is, as far as we can tell, the first national-level continuous-tracking dashboard of this kind in Icelandic media — and on day one, the most useful thing we did was correct ourselves before the numbers settled into a misleading narrative.
Sources: Shodan dev tier /shodan/host/count (free, unlimited); CISA Known Exploited Vulnerabilities catalog; WebPros, Apache, Fortinet, Ivanti, GitLab, VMware, Cisco security advisories; news.1881.is local IOC aggregation. Data collection: 5–6 May 2026.