Summary

• Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset.
• One new Censys ARC Rapid Response advisory for improper access control vulnerability in Fortinet FortiClient EMS [CVE-2026-35616].
• Added new fingerprints for handlebars.js and several SIP and VoIP services.
• Added two new ASM risk fingerprints for vulnerable Handlebars.js [CVE-2026-33937] and vulnerable FortiClient EMS [CVE-2026-35616].

Platform

• Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset. This score enables you to prioritize alerts with IP indicators faster and perform triage and analysis more effectively with a transparent and consistent scoring methodology.
  • Reputation scores and their attendant data are only available to Censys Enterprise users. Additional score context data is available to Censys Enterprise users with access to the Adversary Investigation module. See the documentation for more information.

Censys ARC Rapid Response

The Censys ARC team published information about and queries for the following issue.

• April 7 Advisory: Improper Access Control Vulnerability in Fortinet FortiClient EMS [CVE-2026-35616]
  • The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query

New fingerprints and risks

Added the following fingerprints and risks.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

New fingerprints

New ASM risks

risks.name: "Vulnerable Handlebars.js [CVE-2026-33937]"

risks.name: "Vulnerable FortiClient EMS [CVE-2026-35616]"

Summary

• Added 19 new fingerprints for SSL VPNs, operating systems, and several other products and services.

New fingerprints

Added the following fingerprints.

Summary

• Use new Platform Threat Hunting CensEye APIs to create pivot analysis jobs to find web infrastructure related to threats and other assets.
• Run queries for new security advisories published the Censys ARC team directly from the Platform home page.
• You can now view interactive demos of data add-on modules in the Platform web console.
• One new Rapid Response advisory for Citrix NetScaler ADC and Gateway out-of-bounds read vulnerability [CVE-2026-3055].

Platform

• Run queries for trending security advisories published the Censys ARC team directly from the Platform home page.

  
  • ARC, Censys' cybersecurity research team, frequently releases new advisories and queries for trending security issues. These are shown in a carousel under the search bar. Use these queries to track important issues and learn how to build your own targeted searches. Most of these queries utilize data that is available to Free users, but sometimes they will use regex or other entitled fields.

• You can now view interactive demos of data add-on modules in the Platform web console. Use the left navigation bar to view demos for the Adversary Investigation and Critical Infrastructure modules.

  

Adversary Investigation

• Use new CensEye APIs to create pivot analysis jobs to find web infrastructure related to threats and other assets.
  • The new pivot analysis job endpoint extracts default pivot fields from the target asset and counts matching documents for each field-value pair. This is similar to using CensEye in the Platform web UI.
  • The other two new endpoints can be used to check job status and retrieve job results.

Rapid Response

The Censys ARC team published information about and queries for the following issue.

• March 26 Advisory: Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability [CVE-2026-3055]
  • The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query

Summary

• Use the new Censys for Splunk SOAR and Censys for Splunk Platform integrations to enhance your SOC workflows with Censys data enrichment and playbook actions.
• Two new Censys ARC Rapid Response advisories for pre-authentication RCE vulnerability in GNU Inetutils Telnetd [CVE-2026-32746] and Ubiquiti UniFi network application remote path traversal vulnerability [CVE-2026-22557].
• The name of the "Explore Threats" page in the Platform UI has been changed to "Tracked Threats."
• Added one new fingerprint for NetBox and two new ASM risks.

Platform

• Use the new Censys for Splunk SOAR and Censys for Splunk Platform integrations to enhance your SOC workflows with Censys data enrichment and playbook actions.
  • These integrations include several ad hoc enrichment actions for hosts, web properties, and certificates that can be used on an ad hoc basis or used for automated enrichment.
  • Watch this video to learn more about how to use the Splunk SOAR application.
• The name of the "Explore Threats" page in the Platform UI has been changed to "Tracked Threats."

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• March 18 Advisory: Pre-Authentication RCE Vulnerability in GNU Inetutils Telnetd [CVE-2026-32746]
  • The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query
• March 19 Advisory: Ubiquiti UniFi Network Application Remote Path Traversal Vulnerability [CVE-2026-22557]
  • The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: "Exposed FortiAnalyzer Application"

risks.name: "Exposed NetBox Application"

Summary

• Added new fingerprints for several remote monitoring and management (RMM) tools and Datto SIRIS.
• Added new protocol and application scanners for Anerma CF Forth, ICAP, and STUN.

New fingerprints

Added the following fingerprints.

New protocols and application scanners

Added support for the following protocols and applications.

Summary

• Platform users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.
• Add Censys Platform data enrichment to your security workflows using new integrations with OpenCTI and CyWare.
• Gain a better picture into host history using the new get service history for a host Platform API endpoint .
• Use new extracted_text data in the Platform to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more.
• Added several new Platform fingerprints and ASM risk fingerprints, including Cisco Catalyst SD-WAN Manager, Gogs, Gitea, Raspberry Shake, numerous Nagios services, and more.

Platform

• Users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.

  
  • Use the dashboard to find assets of interest based on location, vendor, product name, protocol, text extracted from screenshots, and more. Learn more in the documentation.

• Use new integrations to add Censys data enrichment to hosts, domains, certificates, and more to OpenCTI and CyWare.

  • These integrations were developed and are maintained by OpenCTI and CyWare, respectively.

• Leverage the new get service history for a host API endpoint to retrieve time ranges during which services were detected on the host.

  • This is similar to the host services timeline in the Platform web UI.

• Use new extracted_text data on services and endpoints to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more. This data can be found in the following new fields:

  • host.services.screenshots.extracted_text
  • host.services.endpoints.screenshots.extracted_text
  • web.endpoints.screenshots.extracted_text
  • extracted_text data is only available to users on the Core or Enterprise plans.

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: `Exposed Fast Reverse Proxy (FRP) Server`

risks.name: `Exposed Gogs Application`

risks.name: `Exposed Gitea Application`

risks.name: `Exposed Nagios Fusion Application`

risks.name: `Exposed Nagios Log Server Application`

risks.name: `Exposed Nagios Network Analyzer Application`

risks.name: `Exposed Nagios Core Application`

risks.name: `Exposed Nagios Cross Platform Agent Application`

risks.name: `Exposed Nagios XI Application`

Summary

• The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation. See below for more details.
• Use the new Search History page in the Platform web UI to review your search activity over the past seven days.
• Added a protocol scanner for Gemini, an application-layer internet communication protocol for accessing remote documents.
• New fingerprints for TiVo DVRs, Gitea instances, Gogs instances, and a new ASM risk for exposed Ollama applications.
• One new Rapid Response advisory for Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass [CVE-2026-20127].

Platform UI updates

The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation.

Left-side navigation panel

• The organization you are currently logged into is displayed in the top of the left-side nav bar. Switch to your Free account or another organization and access your organizational and personal settings from the organization drop-down.
  • Open the account selector menu, select your account or organization, and click the credits section to go to the Credit Management page.
• Access to search and the dashboards for the Threat Hunting and Critical Infrastructure modules is now located in the Intelligence section of the left-side nav bar.
• The My Work section contains your collections, a link to the Investigation Manager, and your search history.
• The Resources section includes links to the Release Notes feed, the Censys Community. Additional resources like the Censys Academy and Data Definitions are nested under Learn in this section.

Alerts and Notifications

• Access webhook configuration by clicking the bell icon for Alerts and Notifications in the top-right corner.

Personal Access Tokens, account management, and more

• Create and manage Personal Access Tokens (PATs), manage your account, and switch between light and dark mode using the profile menu in the top right corner.

Platform Search History page

• The new Search History page in the Platform web console records all of the searches you ran in the Platform UI over the previous 7 days.

New protocols and application scanners

Added support for the following protocol.

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: "Exposed Ollama Application"

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• February 27 Advisory: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass [CVE-2026-20127]
  • The following queries can be used to identify exposed SD-WAN Manager instances.
    • Platform query
    • ASM query
    • Legacy Search query

As part of the plan to decommission Legacy Search (search.censys.io) in 2026, Censys will update its host data backend on March 31, 2026. In Legacy Search, this will result in changes to virtual host behavior, data freshness, select API fields, and other minor adjustments. These changes are described in detail below.

These changes do not remove host coverage from Legacy Search. Additionally, this change does not affect Platform (platform.censys.io) data or functionality.

Overall host coverage, scan cadence, historical data retention, existing functionality, query syntax, UI workflows, and entitlements in Legacy Search are not impacted.

Virtual hosts

The table below summarizes key changes to virtual host data after the change.

Data freshness

• Expiration is changing to 14 days (previously 45 days).
• Index updates will occur only when a scan for that IP is received.
• The "See Latest" UI indication may appear more often.
• In general, there will be less long-lived stale data.

API and service lifecycle changes

• Timeline API: Forward pagination will be removed. API users must set reversed=true.
• Service lifecycle: Services pending removal will be immediately removed from assets when a scan indicates they are no longer visible, instead of being marked as pending.

Removed fields

The following fields will be removed from Legacy Search:

• services.parsed.rocketmq.version (RocketMQ)
• services.ipp.response (IPP)
• services.ipp.cups_response (IPP)
• services.elasticsearch.http_info (Elasticsearch)
• services.tls.server_key_exchange (TLS)
• services.prometheus.http_info (Prometheus)
• services.transport_fingerprint.* (Transport)

DNS records

• dns.records.record_type will no longer return CNAME.
• Record types will be limited to A and AAAA only.

Certificate API update frequency

The update frequency for the following APIs will change from realtime to every six hours:

• /v2/hosts/{ip}/certificates
• /v2/certificates/{fingerprint}/observations

We encourage you to review your workflows and integrations to prepare for these upcoming changes. If you have any questions or concerns about this transition, please reach out to our team at [email protected].

Summary

• Added eight new scanners for Cisco NSI, Flash Socket Policy, Melsec, Memberlist, RouterOS API, Rustdesk Heartbeat, Rustdesk Relay, and Rustdesk Rendezvous.
• Added one new ASM risk fingerprint for exposed NextGen Healthcare Mirth Connect interfaces.

New protocols and application scanners

Added support for the following protocols and applications.

New fingerprints

Added the following fingerprint.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: "Exposed NextGen Healthcare Mirth Connect"

Summary

• Updated how web properties with multiple endpoints are displayed in the Platform web UI. They are now collected on a single hostname and port card instead of split across multiple cards.
• Redirect chains, including start and end points, are now shown on host service and web endpoint cards in the Platform web UI.
• Three new fingerprints for macOS, FortiClient EMS, and QuestDB.
• One new Rapid Response advisory and queries for BeyondTrust Remote Support and Privileged Remote Access Flaw Allows Pre-Authentication RCE [CVE-2026-1731].

Platform

• To improve usability, when web properties have multiple endpoints they are now collected on a single hostname and port card instead of split across multiple cards.

  

• Redirect chains are now shown on host service and web endpoint cards.

  

New fingerprints

Added the following fingerprints.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• February 10 Advisory: BeyondTrust Remote Support and Privileged Remote Access Flaw Allows Pre-Authentication RCE [CVE-2026-1731]
  • The following queries can be used to identify exposed BeyondTrust Remote Support and Privileged Remote Access instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query