Product Updates

Download search results for Core and Enterprise users, new API endpoints for retrieving certificates in PEM format, five new fingerprints, and one Rapid Response bulletin.Platform Core and Enterprise users can now download search results in CSV format in the Platform UI.   Each page of results must be downloaded separately. Each CSV file can contain a maximum of 100 results. APIAdded two new API endpoints to retrieve a single certificate or multiple certificates in PEM format.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issue.High-Severity Flaw Affecting Microsoft Exchange Hybrid Deployments [CVE-2025-53786] Use the following queries to find Exchange servers that may or may not have an OWA portal present. Not all of these are necessarily vulnerable. Read the blog for more information about finding OWA portals and hosts with Exchange servers and OWA portals on the same device. Platform query Legacy Search query ASM query ASM risk query New fingerprintsAdded the following fingerprints.Type Name Description Query risk Vulnerable Exchange Server [CVE-2025-53786] The Microsoft Exchange application is running a version that is potentially vulnerable to CVE-2025-53786, which allows privilege escalation on on-premises Exchange Servers configured as hybrid deployments. ASM risk query: risks.name: `Vulnerable Exchange Server [CVE-2025-53786]` risk Vulnerable Papercut Print Server CVE-2023-2533 This Papercut MF/NG Print Server is vulnerable to CVE-2023-2533, a CSRF vulnerability that could potentially allow an attacker to alter security settings or execute arbitrary code. This can be only be exploited if the target is an admin with a current login session, and often times requires the user to click a specially crafted malicious link. Versions \< 20.1.8, 21.0.0 - 21.2.11, and 22.0.0 - 22.1.0 are affected. ASM risk query: risks.name: `Vulnerable Papercut Print Server CVE-2023-2533` software Oracle E-Business Suite Oracle E-Business Suite is an integrated set of business applications that helps enterprises manage core functions like finance, supply chain, human resources, and customer relationship management. Platform query software Papercut NG Print Server Papercut NG is a print management system. Platform query software Papercut MF Print Server Papercut MF is a print management system. Platform query

Query Assistant improvements in the Platform and seventeen risks enabled for ASM.PlatformYou no longer need to click the generate button to convert natural language input into a Censys Query Language query using the Query Assistant. Instead, the query assistant now automatically converts natural language after you enter it.ASMThe following risks are now enabled for all ASM customers.Risk name Description Severity ATG (Automatic Tank Gauging) Service Exposed This service is running Automatic Tank Gauging (ATG) protocol used for monitoring fuel tanks and fluid levels in critical infrastructure. ATG systems control fuel distribution, inventory management, and leak detection systems. Exposure allows attackers to manipulate fuel readings, cause environmental damage, or disrupt operations. Critical OPC UA Service Exposed This service is running OPC Unified Architecture (OPC UA), a critical industrial communication protocol used for data exchange between industrial equipment, SCADA systems, and manufacturing execution systems. Exposed OPC UA servers allow attackers to read sensitive operational data, modify control parameters, or disrupt industrial processes. Critical GE SRTP Service Exposed This service is running GE SRTP (General Electric Service Request Transport Protocol), used for communication with GE industrial control systems, PLCs, and automation equipment. GE SRTP enables configuration, monitoring, and control of critical infrastructure equipment. Exposure allows attackers to access control systems, modify operational parameters, or cause equipment failures. Critical PCWORX Service Exposed This service is running PCWORX protocol, used by Phoenix Contact PLCs and industrial automation systems. PCWORX enables programming, configuration, and real-time communication with industrial controllers in manufacturing, building automation, and process control applications. Exposure allows attackers to read/write PLC programs, modify control logic, or disrupt automated processes. Critical IEC 60870-5-104 Service Exposed This service is running IEC 60870-5-104, a critical power system communication protocol used for telecontrol and SCADA in electrical power systems. This protocol controls power generation, transmission, and distribution infrastructure. Exposure allows attackers to manipulate power grid operations, cause blackouts, or damage electrical equipment. Critical MMS (Manufacturing Message Specification) Service Exposed This service is running Manufacturing Message Specification (MMS), an ISO standard for real-time communication in industrial automation systems. MMS enables communication between SCADA systems, DCS controllers, and manufacturing equipment. Exposure allows attackers to read critical process data, modify control parameters, or disrupt manufacturing operations. High HART Service Exposed This service is running HART (Highway Addressable Remote Transducer) protocol, used for communication with smart field devices in process automation. HART enables digital communication with sensors, transmitters, and actuators in chemical plants, refineries, and other industrial facilities. Exposure allows attackers to read process measurements, modify device configurations, or disrupt critical control loops. High UBIQUITI Service Exposed This service is designed for Ubiquiti device management and configuration. Ubiquiti devices often have default credentials and known vulnerabilities, making them attractive targets for attackers seeking to gain network access or use devices in botnet attacks. High NETIS Service Exposed This service is running the NETIS router configuration protocol. NETIS routers have a well-known backdoor vulnerability (CVE-2014-2321) that allows unauthenticated remote access via UDP port 53413. This backdoor has been widely exploited by malware and botnets for gaining network access and launching attacks. Critical SSDP Service Exposed This service is running the Simple Service Discovery Protocol (SSDP), which is part of the UPnP protocol suite. SSDP is a major vector for DDoS amplification attacks with amplification factors up to 30x. It also exposes detailed device information that can be used for network reconnaissance and targeted attacks. High WS-Discovery Service Exposed This service is running Microsoft's Web Services Dynamic Discovery (WS-Discovery) protocol used for device and service discovery on networks. When exposed to the Internet, it can be abused for DDoS amplification attacks and allows attackers to gather detailed information about internal network devices and services. Medium TP-Link Kasa Service Exposed This service is running TP-Link Kasa smart home device management protocol. Exposed Kasa devices allow unauthorized users to control smart plugs, lights, cameras, and other IoT devices, potentially enabling privacy invasion, device manipulation, or using devices as entry points for further network attacks. Medium Chromecast Service Exposed This service is designed for Google Chromecast streaming and control functionality. Exposed Chromecast devices can allow unauthorized users to hijack media streaming, play unwanted content, or use the device as an entry point for network reconnaissance and attacks. Medium Yahoo Smart TV Service Exposed This service is designed for Yahoo Smart TV functionality and remote control capabilities. Exposed Smart TV services can be targets for unauthorized access, privacy invasion through camera/microphone access, or incorporation into IoT botnets for DDoS attacks. Medium IOTA Service Exposed This service is part of the IOTA distributed ledger technology ecosystem. Exposed IOTA nodes can be targets for cryptocurrency-related attacks, DDoS amplification, or exploitation of node software vulnerabilities. Medium DCERPC Service Exposed The Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol is used by many Windows services for remote management, authentication, and service control. It operates by default over port 135/TCP. Exposure of DCERPC services to the internet can allow attackers to enumerate available services, exploit unpatched vulnerabilities, and potentially execute remote code. DCERPC should never be exposed directly to the internet without strict access controls. High WINRM Service Exposed Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers. High

Open directory data enhancements and suspicious directory threat, graphical investigation explorer, CensEye enhancements, and more improvements in the Platform; Chrome browser extension, and registrant email domain pivoting in ASM.PlatformThreat HuntingBuild node-based pivot trees to discover, visualize, and understand connections between web assets in the Censys datasets using the Investigation Manager in the Platform web UI. Use the Suspicious Directory threat to find and track web assets with open directories that contain security tools, penetration testing utilities, webshells, or other potentially malicious files. Use this threat information to find hosts and web services with suspicious files before they are leveraged in attacks. Leverage the open directory visual explorer and open directory parsed fields to quickly understand directory information at a glance, including file names, sizes, last modified dates, and directory structure. Made several changes to the default CensEye pivot fields for hosts, web properties, and certificates, including: Added TLS fingerprinting fields (JA4S, JA3S, JA4X, JARM) for better network analysis Added SSH, Cobalt Strike, and protocol-specific pivots for threat detection Added HTTP metadata fields (headers, favicons, body hashes) for web analysis Switched favicon hashes from MD5 to SHA256 for improved security Added support for specialized protocols including SCADA, Kubernetes, and SNMP Chrome browser extensionPerform IP lookups and full-text searches from within a browser window using the Censys Chrome browser extension.APIAdded the count_by_level parameter to the aggregate endpoint to allow you to specify which document level's count is returned per term bucket, primarily for nested fields. This is the same functionality available in the Count By dropdown in the Report Builder UI.ASMAdded registrant email domain pivoting to the ASM attribution process during seed discovery. If ASM finds the email address registrant@censys.com associated with a domain that belongs to you, it will pivot to find other assets registered to any censys.com email address. If you accept an email domain as a seed, you will see many new registrant emails appear in the seed discovery list. If you have continuous seed discovery enabled, this update may result in more frequent seed discovery emails for newly found email addresses. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issue.Critical CrushFTP Vulnerability Added to CISA KEV [CVE-2025-54309] Use the following queries to find CrushFTP servers. Not all of these are necessarily vulnerable. Platform query Legacy Search query ASM query ASM risk query New fingerprintsAdded the following fingerprints.Type Name Description Query risk Vulnerable CrushFTP [CVE-2025-54309] CrushFTP 11 before 11.3.4_23 (update \< 756), when the DMZ proxy feature is not used, is vulnerable to CVE-2025-54309 due to mishandled AS2 validation, allowing remote attackers to obtain admin access via HTTPS.  ASM risk query: risks.name: `Vulnerable CrushFTP [CVE-2025-54309]` software Cisco ISE Cisco Identity Services Engine (ISE) is a network access control and policy enforcement system that provides secure access via identity-based policies. Platform query

Platform MCP Server for AI agents, Platform web service screenshots, and more enhancements.PlatformUse the Platform Model Context Protocol (MCP) Server to give your AI agents and workflows secure, governed, and direct access to the entire Censys Internet Map and Platform APIs, empowering you to hunt, triage, and respond at machine speed. Visually investigate exposed assets on the Censys Platform with recurring and on-demand web service screenshots. Added HTML titles (host.services.endpoints.http.html_title and web.endpoints.http.html_title) to the default pivot fields for CensEye to quickly discover related infrastructure. Use the filter_by_query parameter on Platform API aggregate endpoints to limit aggregation results to those that match your query. This functionality is equivalent to the filter checkbox in the Report Builder UI.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues.ToolShell Exploit Enables Unauthenticated SharePoint RCE [CVE-2025-53770] Use the following queries to find SharePoint servers. Not all of these are necessarily vulnerable. Platform query Legacy Search query ASM query Pre-Auth SQL Injection Leads to RCE in Fortinet FortiWeb [CVE-2025-25257] Use the following queries to find FortiWeb devices. Not all of these are necessarily vulnerable. Platform query Legacy Search query ASM query

New CensEye API endpoint, Live Rescan for all Enterprise customers, enhancements to Platform AI tool configuration, recent searches in the Platform web UI, and more.PlatformUse the CensEye value counts API to obtain counts of web assets for specific field-value pairs and combinations of field-value pairs for rapid research and analysis. Added combined HTTP header key and value information to the default pivot fields for CensEye to quickly discover related infrastructure. All Enterprise customers now have access to the Live Rescan feature. Added the ability to configure AI tool usage and privacy settings at the individual user and organization level. Added recent searches to the search bar in the Platform web UI. Platform Starter users may now configure their Censys Credits to automatically replenish when they reach a specific amount.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issue.Unauthenticated RCE in Wing FTP Server [CVE-2025-47812] Use the following queries to identify exposed Wing FTP servers. Not all of these are necessarily vulnerable. Platform query Legacy Search query ASM query   ASM risk query New fingerprintsAdded the following fingerprints.Type Name Description Query risk Vulnerable Wing FTP Server CVE-2025-47812 This Wing FTP Server is running a vulnerable version of the software that is susceptible to CVE-2025-47812, an unauthenticated remote code execution vulnerability. ASM risk query: risks.name = "Vulnerable Wing FTP Server CVE-2025-47812" software Wing FTP Server This service is running a Wing FTP server. Platform query

CVE risk rescan and scan data links in ASM, three new software fingerprints, and one new Rapid Response bulletin.ASM Use the ability to rescan CVE risks on host risk cards in the ASM web console to verify that a CVE risk has been closed after completing your or remediation workflows. Use the View Scan Data button to see the scan data for the service.   Added the ability to copy data field names from table header rows in the ASM web console to quickly search your inventory for relevant assets.   New fingerprintsAdded the following fingerprints.Type Name Description Query software MCP Inspector MCP Inspector is a developer tool that enables inspection and debugging of Model Context Protocol workflows. Platform query software BentoML BentoML is an open-source platform designed to help developers package and deploy machine learning models. Platform query software AMI MegaRAC SP-X Firmware This is a device running AMI MegaRAC SP-X firmware, a proprietary Linux-based platform for Baseboard Management Controllers (BMCs). MegaRAC SP-X provides out-of-band management functionality via interfaces like Redfish, IPMI, and a web GUI, and is commonly deployed in enterprise servers and datacenter hardware. Platform query Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issue.Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439] Use the following queries to identify exposed MegaRAC SPx firmware. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query

Five new hardware and software fingerprints and three new risks for ASM.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issue.Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439] Use the following queries to identify exposed NetScaler Gateway and ADC instances. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query ASM risk query New fingerprintsAdded the following fingerprints.Type Name Description Query hardware Planet Router This is a Planet Technology Corporation router or network device. Platform query software Wordpress Plugin - Rank Math SEO A very popular search engine optimization plugin for Wordpress. Platform query software wordpress-plugin-wp-rocket A wordpress performance-based plugin to speed up websites with caching. Platform query software wordpress-plugin-wpforms A wordpress plugin associated with POST forms. Platform query software Wordpress Plugin - Yoast SEO A search-engine optimization plugin for wordpress. Platform query risk Vulnerable Citrix Netscaler Application [CVE-2025-6543] This device is vulnerable to CVE-2025-6543 - A memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server, potentially leading to remote code execution. ASM risk query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-6543]` risk Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777] This device is vulnerable to CVE-2025-5349, which involves improper access control on the NetScaler Management Interface, and CVE-2025-5777, which results from insufficient input validation leading to memory overread. Successful exploitation of CVE-2025-5349 may allow unauthorized changes or lateral movement within the network, while CVE-2025-5777 could enable attackers to read sensitive memory contents such as session tokens or credentials by hijacking sessions. ASM risk query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777]` risk Vulnerable Sitecore Experience Platform [CVE-2025-34509] Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP. [CVE-2025-34509]. We cannot detect the revision number of the software, so this risk is medium confidence and assumes 10.4.1/10.3.3/10.1.4 are vulnerable. ASM risk query: risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-34509]`

CVE risk exploit context in ASM, two new software fingerprints, and one risk fingerprint.ASMUse new CVE risk exploit context data to help you understand, triage, and remediate risks in your attack surface. New context data includes risk exploit maturity status, threat actor, botnet, and ransomware enrichment, EPSS scores, and CVSSv4 scores. CVE risk exploit context is available to all ASM Enterprise customers. ASM Advanced customers may purchase access to it. New fingerprintsAdded the following fingerprints.Type Name Description Query risk Vulnerable Erlang OTP Instance [CVE-2025-32433] This service is running a vulnerable version of Erlang OTP that is affected by unauthenticated remote code execution vulnerability CVE-2025-32433. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling. ASM query: risks.name: `Vulnerable Erlang OTP Instance [CVE-2025-32433]` software Mottech ICC Pro Control System ICC PRO is a control platform for centralized and remote irrigation management. It communicates with system components to monitor and control sites, providing real-time status and performance data for devices such as valves, water meters, sensors, and pumps. The software supports continuous monitoring and execution of irrigation programs. Platform query software RainMachine Web Application RainMachine is a web-based application that allows users to monitor and control their irrigation system from remote devices. Platform query

Four new fingerprints and two Rapid Response bulletins.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit. Platform query Legacy Search query ASM query ASM risk query This query can be used to find instances of Wazuh server that are vulnerable to the exploit. Roundcube Webmail Vulnerable to Authenticated RCE [CVE-2025-49113] Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin. Platform query Legacy Search query ASM query ASM risk query This query can be used to find instances of Roundcube Webmail that are vulnerable to the exploit. New fingerprintsAdded the following fingerprints.Type Name Description Query software Synology VPN Plus Server This is a Synology VPN Plus Server. Platform query software 3CX Web Client The 3CX Web Client is a browser-based application that provides users with tools for communication and collaboration, including call management, video conferencing, live chat, and integration with messaging platforms such as WhatsApp, Facebook, and SMS/MMS. Platform query risk Vulnerable Wazuh [CVE-2025-24016] An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. ASM query: risks.name: `Vulnerable Wazuh [CVE-2025-24016]` risk Vulnerable Roundcube [CVE-2025-49113] This is a Roundcube server running a version of Roundcube that is vulnerable to CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. ASM query: risks.name: `Vulnerable Roundcube [CVE-2025-49113]`

Platform Query Assistant beta for all users, Platform Threat Hunting module release, general availability for the Platform, two Rapid Response bulletins, several new risk fingerprints, and one new software fingerprint.PlatformQuickly generate valid search Censys Query Language (CenQL) queries using natural language input with the new Query Assistant tool in the Platform web UI. Query Assistant is a beta feature available to all Platform users. Use the Platform Threat Hunting module to detect, analyze, and track threat infrastructure with speed and precision. The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. The Threat Hunting module includes the following: The Platform threat dataset that maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties. Interactive Explore Threats page that provides a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats. CensEye automated pivoting tool to help you identify web assets on the internet that share a specific key-value pair with an asset of interest to quickly pivot into related infrastructure. Live Rescan and Discovery to run fresh scans on specific ports to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans. Certificate Timeline that provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior. The Censys Platform is now generally available to all customers.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.ConnectWise ScreenConnect Vulnerability Added to CISA KEV [CVE-2025-3935] Use the following queries to find instances of ConnectWise ScreenConnect. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query%20or%20web_entity.instances.software%3A%20(vendor%3D%22ConnectWise%22%20and%20product%3D%22ScreenConnect%22)\&pageSize=100\&tab=all\&columns=type_id_risks_source_tags_associationDate_cloud_expirationDate_accountId\&ref=sb) ASM risk query vBulletin Allows Unauthenticated Users to Invoke Protected API Controllers’ Methods to Achieve RCE [CVE-2025-48827-48828] Use the following Platform query to find vulnerable vBulletin instances. It requires a Starter or Enterprise plan, as it uses regex. Platform query Use the following queries to find vBulletin instances. Not all of these are necessarily vulnerable, as version-related information is not targeted using these queries. Platform query Legacy Search query ASM query%20or%20web_entity.instances.software%3A%20(vendor%3D%22vBulletin%22%20and%20product%3D%22vBulletin%22)\&pageSize=100\&tab=all\&columns=type_id_risks_source_tags_associationDate_cloud_expirationDate_accountId\&ref=sb) ASM risk query New fingerprintsAdded the following fingerprints.Type Name Description Query software vBulletin vBulletin is a PHP-based bulletin board software that is used to create and manage online forums. Platform query risk Insecure SNMP Service Exposed This service is running SNMPv1 or SNMPv2, which transmit community strings in plaintext and lack proper authentication and encryption. Attackers can easily sniff network traffic to determine community strings, enabling man-in-the-middle attacks, replay attacks, and unauthorized access to network device management functions. ASM query: risks.name: `Insecure SNMP Service Exposed` risk Vulnerable ConnectWise ScreenConnect [CVE-2025-3935] This is a ConnectWise server is running a version vulnerable to CVE-2025-3935, a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. ASM query: risks.name: `Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]` risk Vulnerable vBulletin [CVE-2025-48827] vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later ASM query: risks.name: `Vulnerable vBulletin [CVE-2025-48827]` risk ASUS Backdoor IOC This ASUS device has SSH running on the high, ephemeral port TCP/53282, a port that has been linked with a malicious backdoor installed by the AyySSHush botnet. It's recommended to examine this device for the specific attacker-controlled SSH key associated with this botnet. ASM query: risks.name: `ASUS Backdoor IOC`

The following enhancements and improvements are now available to Censys users.PlatformAdded the ability to filter by owner, filter by category, search by name or ID, and sort by creation date, last updated date, or name on the Collections page in the Platform web UI.   Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Ivanti EPMM Chained Exploits Added to CISA KEV [CVE-2025-4427-4428] Use the following queries to find exposed Ivanti EPMM instances. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query ASM risk query Samsung MagicInfo9 Path Traversal Vulnerability Added to CISA KEV [CVE-2025-4632] Use the following queries to find exposed MagicInfo9 instances. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints. Type Name Description Query software Samsung MagicInfo 9 Server This is a Samsung MagicInfo server. Samsung's MagicINFO is a comprehensive digital signage software solution that enables businesses to create, publish, and manage content across various display networks. Platform queryLegacy Search query risk Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428] Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428] ASM query  

The following enhancements and improvements are now available to Censys users.PlatformAdded dark mode to the Platform web UI. To switch between light and dark mode, click your profile icon and use the Light Mode / Dark Mode toggle.   Use the new Certificate Transparency (CT) logs page in the Platform web UI to see the logs Censys monitors as well as additional certificate metadata.   This page always reflects the current state of Censys CT log monitoring. Navigate to the page via the Help menu in the top-right corner of the Platform web console. ASMAdded the ability to filter the Ports & Protocols dashboard to a specific port range.   Added a filter option for unknown protocols to the Ports & Protocols dashboard.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Synacor Zimbra Collaboration Suite XSS Vulnerability Added to CISA KEV [CVE-2024-27443] Use the following queries to find Zimbra Collaboration Suite instances. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query Srimax Output Messenger Directory Traversal Vulnerability Added to CISA KEV [CVE-2025-27920] Use the following queries to find instances of Srimax Output Messenger. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints. Type Name Description Query risk Srimax Output Messenger RCE Vulnerability [CVE-2025-27920] This is an Srimax Output Messenger instance vulnerable to a directory traversal attack. ASM query software Srimax Output Messenger Srimax Output Messenger is a software product that allows users to send and receive messages from a remote server. Platform queryLegacy Search query software Lantronix XPort This is a Lantronix XPort server. Platform queryLegacy Search query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Stack-Based Buffer Overflow Vulnerability Affecting Multiple Fortinet Products [CVE-2025-32756] Use the following queries to find Fortinet products. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints.  Type Name Description Query software Fortinet FortiVoice Application This is a Fortinet FortiVoice Application. Platform queryLegacy Search query software Fortinet FortiNDR This is a Fortinet FortiNDR Server. Platform queryLegacy Search query software Fortinet FortiCamera This is a Fortinet FortiCamera device. Platform queryLegacy Search query software Commvault CommCell by Certificate Commvault CommCell is a centralized management framework that coordinates and controls all data protection operations across a Commvault environment.  Platform queryLegacy Search query software Fortinet FortiVoice This is a Fortinet FortiVoice Server. Platform queryLegacy Search query software Fortinet FortiMail This is a Fortinet FortiMail server. Platform queryLegacy Search query software Commvault CommCell Console The CommCell Console is the central management user interface for managing the CommCell environment. Platform queryLegacy Search query software Fortinet FortiRecorder This is a Fortinet FortiRecorder Server. Platform queryLegacy Search query software Cisco Wireless Controller This is a Cisco Wireless Controller. Platform queryLegacy Search query software Cisco IOS XE This is a device running Cisco IOS XE software. Platform queryLegacy Search query software Cisco Catalyst 9800 Series Wireless Controller This is a Cisco Catalyst 9800 Series Wireless Controller. Platform queryLegacy Search query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Critical RCE Vulnerability Identified in Craft CMS (CVE-2025-32432) Use the following queries to find instances of Craft CMS. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query Unauthenticated Code Injection Vulnerability in Langflow (CVE-2025-3248) Use the following queries to find exposed Langflow servers. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints. Type Name Description Query risk Vulnerable SonicWall Gen7 Firewall [CVE-2024-53704] SonicWall Gen7 Firewalls are vulnerable to an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication. This vulnerability affects SonicWall gen7 firewalls (models TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700) versions 7.1.x (7.1.1-7058 and older versions of 7.1.x only), and version 7.1.2-7019. Additionally, SonicWall Gen7 NSv (models 270, 470, and 870) versions 7.1.x (7.1.1-7058 and older versions of 7.1.x only), and version 7.1.2-7019 are affected, and the SonicWall TZ80 model (version 8.0.0-8035) is also affected. ASM query software OpenCTI This is an OpenCTI Cyber Threat Intelligence Platform. Platform query   Legacy Search query software SonicWall SonicOSX This is a SonicWall SonicOSX operating system. Platform query   Legacy Search query software SonicWall SonicOS This is a SonicWall SonicOS operating system. Platform query   Legacy Search query software Langflow Langflow is a low-code tool for building and deploying AI-powered agents and workflows. Platform query   Legacy Search query  

This release includes two new rapid response bulletins and two new software fingerprints.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.SAP NetWeaver Actively Exploited Unauthenticated File Upload Vuln (CVE-2025-31324) Critical Pre-Authentication RCE Vulnerability in Commvault Software (CVE-2025-34028) Use the following queries to find internet-facing instances of Commvault software. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints. Type Name Description Query software eSSL eTimeTrackLite This is an eSSL eTimeTrackLite employee time tracking and attendance management system. Platform query   Legacy Search query software Commvault Command Center This is a Commvault Command Center server. Platform query   Legacy Search query

The following enhancements and improvements are now available to Censys users.PlatformFind the information you need in the Censys Platform faster using the new web app landing page. The new landing page includes a rotating selection of example queries, data aggregations, new onboarding steps, and more.   Use the new Filter my results to display services or endpoints that match my query option on the Report Builder to limit the report results to only the services or endpoints that match your query. This option helps you build more focused reports.    The maximum number of report buckets has also been increased to 2,000.   Integrate Censys Platform functionality with your automated workflows with the new Python and Go SDKs. The Python SDK is also available on PyPI. ASMThe new Ports & Protocols Dashboard enables you to understand exactly which ports are open in your attack surface across the full 65,535-port range. This allows you to quickly determine whether there are any open ports that are misconfigured or non-compliant with your organization’s policy.   The dashboard also shows which protocols are present on your ports. ASM identifies whether these protocols are on standard ports, as defined by IANA. New fingerprintsAdded the following fingerprints. Type Name Description Query software DPanel This is a DPanel Docker Server. Platform queryLegacy Search query risk WINRM Service Exposed Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access,strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers. ASM query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Unauthenticated RCE in Erlang/OTP (CVE-2025-32433) Use the following queries to identify exposed Erlang SSH servers. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query New fingerprintsAdded the following fingerprints. Type Name Description Query software Microsoft Power Apps A modern low/no-code solution developed by Microsoft. Platform query   Legacy Search query software Erlang SSH This is an Erlang SSH Server. Platform query   Legacy Search query software AQUILA Radiology Imaging Software by IMEXHS AQUILA is a radiology imaging software platform that provides digital imaging and diagnostic support for medical facilities. It is commonly used in radiology departments for managing and viewing medical images. Platform query   Legacy Search query software Progress Kemp Loadmaster This host appears to be running, or be running behind a Progress Kemp  Loadmaster load balancer. Platform query   Legacy Search query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Vulnerability in FortiSwitch Allows Unauthenticated Attackers to Change Admin Passwords (CVE-2024-48887) Use the following queries to find Fortinet FortiSwitch instances. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query Actively Exploited Deserialization Vulnerability in Gladinet CentreStack Secure File Sharing Software (CVE-2025-30406) The queries below can be used to identify exposed instances of Gladinet CentreStack, but they are not necessarily vulnerable to the exploit. Platform query Legacy Search query ASM query ASM risk query This query can be used to identify exposed instances of Gladinet CentreStack that are vulnerable to the exploit. New fingerprintsAdded the following fingerprints. Type Name Description Query software Gladinet Centrestack This is a Gladinet Centrestack Server. Platform queryLegacy Search query software Fortinet FortiSwitch This is a Fortinet FortiSwitch device. Platform queryLegacy Search query software Dell PowerProtect Dell PowerProtect Data Domain and Data Manager Platform queryLegacy Search query software CE-WAF Proactive Web Application Firewall CE-WAF is a custom or internal Web Application Firewall solution Platform queryLegacy Search query software Aikido Zen WAF ZenWAF is a Web Application Firewall solution produced by Aikido Platform queryLegacy Search query risk Vulnerable Gladinet CentreStack [CVE-2025-30406] Gladinet CentreStack through version 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use. ASM risk query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Unauthenticated Auth Bypass Vulnerability in CrushFTP [CVE-2025-31161] Use the following queries to find CrushFTP services. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query ASM risk query This query can be used to identify exposed instances of CrushFTP that are vulnerable to the exploit. Unauthenticated RCE Vulnerability in Ivanti Connect & Policy Secure and ZTA Gateway [CVE-2025-22457] Use the following queries to find Ivanti Connect Secure services. Not all of these are necessarily vulnerable, as specific version information may not be available. Platform query Legacy Search query ASM query ASM risk query This query can be used to identify exposed instances of Ivanti Connect Secure that are vulnerable to the exploit. New FingerprintsAdded the following fingerprints. Type Name Description Query risk Vulnerable CrushFTP [CVE-2025-2825, CVE-2025-31161] CrushFTP contains an unauthenticated authentication bypass vulnerability. This affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. There are two CVE-IDs because the original CVE-2025-2825 was assigned by VulnCheck, but the vendor has identified the CVE-ID as CVE-2025-31161. ASM query risk Vulnerable Ivanti Connect Secure Application [CVE-2025-22457] This Ivanti Connect Secure (before 22.7R2.6) application is vulnerable to CVE-2025-22457. This vulnerability allows an unauthenticated attacker to achieve remote code execution. ASM query software Medsynapse PACS Medsynapse PACS is a web-based picture archiving and communication system (PACS) for transfer of medical images within and outside hospitals. Platform queryLegacy Search query  

The following enhancements and improvements are now available to Censys users.Censys PlatformUse Collections to track and monitor the results of a Censys query over time.  Save time and resources by creating a collection and configuring alerts to track new assets that match your queries.  Collections track both additions and subtractions to assets that match your queries. Configure collection webhooks to receive real-time alerts for any changes within your collections. Collections are currently available to Platform Starter users. Learn more about Collections in the Censys Academy. Censys ASMUse risk evidence to understand how Censys ASM detected a risk and determine whether a risk requires further validation before it is prioritized for remediation.  Risk evidence links directly to the scan data that includes the evidence for risk. This enables you to accelerate your investigations and use Censys data to find and close risks faster. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Authentication Bypass Vulnerability in Next.js [CVE-2025-29927] Use the following queries to map Next.js services. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Platform query Censys Platform query for Next.js services that expose a version Censys Legacy Search query Censys ASM query Censys ASM risk query New protocolsAdded support for the following protocols. Protocol Query CHECK_MK_AGENT Censys Platform query NATS_IO Censys Platform query  New fingerprintsAdded the following fingerprints. Type Name Description Query risk Exposed Kubernetes Ingress NGINX Admission Controller The affected service exposes a Kubernetes Ingress NGINX Admission Controller. This controller is vulnerable to multiple critical unauthenticated Remote Code Execution vulnerabilities collectively known as "IngressNightmare" (CVE-2025-1974, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513). Exploitation can lead to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster, which could result in complete cluster takeover. Censys ASM query risk Vulnerable Next.js [CVE-2025-29927] Next.js contains a vulnerability that could allow an attacker to execute arbitrary code through a specially crafted request. This affects versions 11.1.4 through 12.3.5, 13.0.0 through 13.5.9, 14.0.0 through 14.2.25, and 15.0.0 through 15.2.3. Censys ASM query  

The following enhancements and improvements are now available to Censys users.New fingerprintsAdded the following fingerprints. Type Name Description Query software NAKIVO Backup & Replication This is a NAKIVO Backup & Replication server. Platform queryLegacy Search query software ZoneMinder This is a ZoneMinder CCTV monitoring system. Platform query   Legacy Search query risk Vulnerable NAKIVO Backup & Replication [CVE-2024-48248] NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). ASM query risk WordPress ClickFix The affected WordPress site has indicators of compromise for ClickFix, a fake plugin that is known to embed malicious scripts disguised as legitimate WordPress plugins.  ASM query  

The following enhancements and improvements are now available to Censys users.Censys PlatformUse the Query Converter to turn your Legacy Search queries into queries that are compatible with the new Censys Platform.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Unauthenticated RCE Vulnerability in Sitecore Experience Platform & Manager [CVE-2025-27218] Use the following queries to map Sitecore services. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Platform query Censys Legacy Search query Censys ASM query Censys ASM risk query New FingerprintsAdded the following fingerprints. Type Name Description Query software Sitecore This is a Sitecore instance. Platform query Legacy Search query software Sitecore Experience Platform This is a Sitecore Experience Platform instance. Platform query Legacy Search query risk Vulnerable Sitecore Experience Platform [CVE-2025-27218] Sitecore Experience Platform version 10.4 before KB1003535 is vulnerable to unauthenticated remote code execution [CVE-2025-27218] ASM query  

The following enhancements and improvements are now available to Censys users.Censys ASMUse our new ServiceNow CMDB integration to automatically send your Censys ASM asset inventory to ServiceNow. All Censys ASM asset inventory types (hosts, web entities, storage buckets, certificates, and domains) are supported. Censys ASM asset attributes like tags, labels, and location are also exported to ServiceNow. Filter what gets sent to CMDB based on ASM tags or source information. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.BIG-IP iControl REST and tmsh Vulnerability [CVE-2025-20029] Use the following queries to find instances of the F5 BIG-IP Configuration Utility. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Platform query Censys Legacy Search query Censys ASM query Tenda AC7 Stacked-Based Buffer Overflow Vulnerability with PoC [CVE-2025-1851] Use the following queries to find Tenda Routers. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Platform query Censys Legacy Search query Censys ASM query New and updated fingerprintsThe following fingerprints have been added or improved. Type Name Description Query software Konica Minolta Bizhub Konica Minolta Bizhub printer management web interface. Platform queryLegacy Search query software Konica Minolta PageScope Web Connection Konica Minolta PageScope Web Connection is a web-based interface used for managing and configuring Konica Minolta multifunction printers (MFPs) and networked devices. Platform queryLegacy Search query software F5 BIG-IP Access Policy Manager (APM) This BIG-IP platform is running the Access Policy Manager (APM) module. The article in the references section lists these cookies and mentions that they are used to track user sessions of BIG-IP APM access profiles. Platform queryLegacy Search query risk Exposed WatchGuard Firewall An http.response.service is exposing a WatchGuard firewall. ASM query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.Multiple Critical Vulnerabilities in Mattermost Collaboration Software Use the following queries to identify Mattermost services. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Search query Censys ASM query Censys ASM risk query Craft CMS RCE Vulnerability Added to CISA KEV [CVE-2025-23209] Use the following queries to identify Craft CMS services. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Search query Censys ASM query   New FingerprintsAdded the following fingerprints. Type Name Description Query risk Vulnerable Mattermost [CVE-2025-20051, CVE-2025-25279, & CVE-2025-24490] Mattermost is an open-source collaboration platform with features like channels, DMS, boards, playbooks, and DevOps integrations. These vulnerabilities specifically target the boards feature of Mattermost and are caused by improper input validation and lack of prepared SQL statements when duplicating, reordering, or importing boards. ASM risk query  

The following enhancements and improvements are now available to Censys users.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.SonicOS SSLVPN Vulnerability Added to CISA KEV [CVE-2024-53704] Use the following queries to find SonicWall firewalls. Not all of these are necessarily vulnerable, as specific version information may not be available. Censys Platform query Censys Search query Censys ASM query New FingerprintsAdded the following fingerprints. Type Name Description Query software SonicWall NSA-Series Firewall This is a SonicWall Network Security Appliance (NSA) series firewall, a family of next-generation firewalls designed for mid-sized to large enterprises, distributed networks, and data centers. Search queryPlatform query software SonicWall NSv-Series Firewall This is a SonicWall NSv Series virtual firewall. Search queryPlatform query software SonicWall TZ-Series Firewall This is a SonicWall TZ-series firewall, a family of next generation firewalls. Search queryPlatform query