Open directory data enhancements and suspicious directory threat, graphical investigation explorer, CensEye enhancements, and more improvements in the Platform; Chrome browser extension, and registrant email domain pivoting in ASM.
Platform
Threat Hunting
- Build node-based pivot trees to discover, visualize, and understand connections between web assets in the Censys datasets using the Investigation Manager in the Platform web UI.
- Use the Suspicious Directory threat to find and track web assets with open directories that contain security tools, penetration testing utilities, webshells, or other potentially malicious files. Use this threat information to find hosts and web services with suspicious files before they are leveraged in attacks.
- Leverage the open directory visual explorer and open directory parsed fields to quickly understand directory information at a glance, including file names, sizes, last modified dates, and directory structure.
- Made several changes to the default CensEye pivot fields for hosts, web properties, and certificates, including:
- Added TLS fingerprinting fields (JA4S, JA3S, JA4X, JARM) for better network analysis
- Added SSH, Cobalt Strike, and protocol-specific pivots for threat detection
- Added HTTP metadata fields (headers, favicons, body hashes) for web analysis
- Switched favicon hashes from MD5 to SHA256 for improved security
- Added support for specialized protocols including SCADA, Kubernetes, and SNMP
Chrome browser extension
- Perform IP lookups and full-text searches from within a browser window using the Censys Chrome browser extension.
API
- Added the
count_by_level
parameter to the aggregate endpoint to allow you to specify which document level's count is returned per term bucket, primarily for nested fields. This is the same functionality available in the Count By dropdown in the Report Builder UI.
ASM
- Added registrant email domain pivoting to the ASM attribution process during seed discovery.
- If ASM finds the email address
registrant@censys.com
associated with a domain that belongs to you, it will pivot to find other assets registered to anycensys.com
email address. If you accept an email domain as a seed, you will see many new registrant emails appear in the seed discovery list. - If you have continuous seed discovery enabled, this update may result in more frequent seed discovery emails for newly found email addresses.
- If ASM finds the email address
Rapid Response
The Censys Rapid Response team published information about and queries for the following issue.
- Critical CrushFTP Vulnerability Added to CISA KEV [CVE-2025-54309]
- Use the following queries to find CrushFTP servers. Not all of these are necessarily vulnerable.
New fingerprints
Added the following fingerprints.
Type | Name | Description | Query |
---|---|---|---|
risk | Vulnerable CrushFTP [CVE-2025-54309] | CrushFTP 11 before 11.3.4_23 (update \< 756), when the DMZ proxy feature is not used, is vulnerable to CVE-2025-54309 due to mishandled AS2 validation, allowing remote attackers to obtain admin access via HTTPS. | ASM risk query: risks.name: `Vulnerable CrushFTP CVE-2025-54309]` |
software | Cisco ISE | Cisco Identity Services Engine (ISE) is a network access control and policy enforcement system that provides secure access via identity-based policies. | Platform query |