4 days ago

October 27, 2025

Summary

Four risks for exposed Watchguard Firewalls, WDBRPC services, atvremote devices, and KVM devices are now enabled for ASM customers.
One new ASM risk fingerprint for BIND 9 resolvers vulnerable to CVE-2025-40778 and one Rapid Response bulletin for this vulnerability.

ASM

The following risks have now been enabled by default for all ASM customers.

Exposed Watchguard Firewall
WDBRPC Service Exposed
Exposed atvremote Device
Exposed KVM

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

BIND 9 Resolver Enables Cache Poisoning Via Unsolicited Answers [CVE-2025-40778]
- The queries below can identify vulnerable BIND 9 resolvers.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
risk	Vulnerable ISC Bind9 [CVE-2025-40778]	This service is running a vulnerable version of ISC Bind9. An attacker may exploit a flaw in DNS response processing that allows cache poisoning via unsolicited answer records, enabling redirection of downstream clients.	ASM query

An RSS feed for Censys release notes is available here.

11 days ago

October 20, 2025

Summary

Rapid Response advisory and queries for exposed F5 BIG-IP products affected by recent nation-state breach.
Threat data now visible for Platform Enterprise customers.
One new fingerprint for Interactsh servers.

Platform

Some threat data for hosts and web properties is now viewable by all users on Enterprise accounts.

An example search result for a host showing that an AsyncRAT threat is present.

The following fields can be seen in the Platform web console and retrieved via API, but may not be searched for or pivoted across unless you also have access to the Threat Hunting module.

Data field	Description
`*.threats.id`	A unique identifier for the threat.
`*.threats.name`	Name of the threat, such as `Cobalt Strike`.
`*.threats.tactic`	How the threat behaves and the purpose of the activity, such as `COMMAND_AND_CONTROL` and `PERSISTENCE`.
`*.threats.type`	The role of the service, such as `PHISHING_SERVER` and `WEBSHELL`.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Nation-State Breach of F5 Networks — Exposure of BIG-IP Source Code & Undisclosed Vulnerabilities
- The queries below can identify F5 BIG-IP instances, but they cannot determine whether systems are vulnerable.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software	Interactsh Server	This is an Interactsh server. Interactsh is an OOB interaction gathering server and client library.	Platform query

18 days ago

October 13, 2025

Summary

New cencli command line tool to bring Platform features and data to your terminal.
Censys Assistant in the Platform web console for rapid investigations using natural language input.
Support for integrating the Censys ASM MCP Server with Microsoft Copilot Studio.
New fingerprints for Ivanti Endpoint Manager, Oracle Cloud Infrastructure Load Balancer, and Oracle Traffic Director.
One new ASM risk fingerprint for Redis servers vulnerable to CVE-2025-49844.

Platform

The cencli command line tool enables you to run search queries, look up assets, perform aggregations, and more from your terminal window.
- cencli can be used by all registered Platform users.
Use the Censys Assistant AI tool in the Platform web console to input questions in a natural language and obtain answers based on the assets and data present in the Censys Internet Map.
- The Censys Assistant is available to all Starter and Enterprise users.

ASM

Integrate the Censys ASM MCP Server with Microsoft Copilot Studio to seamlessly incorporate Censys ASM functionality with your AI tools.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

Pre-Auth RCE Chain in Oracle E-Business Suite Software [CVE-2025-61882]
- The queries below can help identify Oracle E-Business Suite instances, but they cannot determine whether systems are vulnerable.
13 Unpatched Zero-Days in Ivanti Endpoint Manager Enabling RCE
- The following queries can help identify exposed Ivanti Endpoint Manager / LANDesk instances, but they are not necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Redis Server [CVE-2025-49844] - RediShell	This Redis service may be vulnerable to CVE-2025-49844 (RediShell), a critical Use-After-Free vulnerability that allows an authenticated attacker to execute arbitrary code by sending a specially crafted Lua script. The vulnerability affects all Redis versions with Lua scripting support (versions 8.2.1 and below) and has existed in the codebase for approximately 13 years.	ASM query: risks.name: `Vulnerable Redis Server [CVE-2025-49844] - RediShell`
software	Ivanti Endpoint Manager	This is Ivanti Endpoint Manager (formerly LANDESK Management Suite), an enterprise endpoint management solution for unified IT operations.	Platform query
software	Oracle Cloud Infrastructure Load Balancer	This is an Oracle Cloud Infrastructure (OCI) Load Balancer. An OCI Load Balancer provides automated traffic distribution from one entry point to multiple servers in a set.	Platform query
software	Oracle Traffic Director	This is an Oracle Traffic Director. Oracle Traffic Director is a layer-7 software load balancer.	Platform query

25 days ago

October 6, 2025

Summary

New Insights experience in ASM to help you understand key data points about your attack surface.
Unauthenticated access to Platform for easy browsing.
New software fingerprints for RustDesk Console, Progress Chef Automate, and ligolo-ng.
A new risk for exposed KVM devices for ASM.

ASM

Use Insights in ASM to stay on top of key security initiatives like software compliance and vulnerability management.
- Insights organizes and presents key data points about your attack surface, like the state of your inventory's software and services, in an understandable and easily actionable format.
- The Insights search bar provides several pre-formatted prompts to help you investigate your inventory and learn how to build useful ASM queries.
- Insights is available to all ASM users.

Platform

Added the ability to use the Platform without logging in to an account. Use this functionality to look up assets, perform searches, and view shared Platform links.
- Unauthenticated users can perform a maximum of five actions before they must log in.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Exposed KVM	These devices provide keyboard, video, and mouse (KVM) over IP and are used for remote server access.	ASM risk query: risks.name: `Exposed KVM`
software	RustDesk Console	RustDesk Console is a self-hosted management interface for RustDesk remote desktop sessions.	Platform query
software	ligolo-ng	ligolo-ng is a reverse tunneling and proxy tool for pentesters.	Platform query
software	Progress Chef Automate	Progress Chef Automate is a centralized compliance and infrastructure automation platform for Chef configurations across environments.	Platform query

about 1 month ago

September 29, 2025

Summary

New twist function for Platform search queries.
Added matched services for search results in the Platform UI and API.
New fingerprints for popular KVM products and Ollama.
One Rapid Response bulletin for an RCE in Cisco IOS and IOS XE software.

Platform

Use the new twist function in your Platform queries to find field values that are similar to a specified value.
- You can use the twist function to find typosquatted domains or domains attempting to impersonate a valid domain by omitting known domains from your query. For example, the following query will find web properties that use names similar to censys.io but will omit results that include censys.io.
```
* * twist(web.hostname, 'censys.io') and not web.hostname:'censys.io'
```
Use matched services in the UI and API to rapidly find host services that contain data that match your search criteria.
- Matched services in the UI are shown in the Matched Fields section. Click the service icon to navigate directly to the service card on the host.
- Matched services in the API are returned in a matched_services object for each host that contains matching data.
```
          "matched_services": [
            {
              "protocol": "HTTP",
              "port": 18083,
              "transport_protocol": "tcp"
            }
          ]
```
The Share link action was moved to the Search Actions menu next to the search bar in the Platform web UI. Use this to generate share links for assets, search query results, and more.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

SNMP RCE in Cisco IOS and IOS XE Software [CVE‑2025‑20352]
- The queries below can help identify any affected Cisco devices exposing SNMP, but they are not necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Query
software	NanoKVM	Platform query
software	TinyPilot KVM	Platform query
software	JetKVM	Platform query
software	PiKVM	Platform query
software	BliKVM	Platform query
software	EJOIN SMS Gateway/SimBox	Platform query
software	Ollama AI Model Hosting Platform	Platform query
software	Palo Alto Networks Cortex XSOAR EDL Service	Platform query

about 1 month ago

September 22, 2025

Summary

Platform

API

Platform lookup API endpoints may now be used by Free users.
- Lookup endpoints cost 1 credit per asset retrieved, which is the same cost to look up assets in the Platform web UI.
- Free users can create Personal Access Tokens in the Platform web UI to execute API calls.
- The lookup endpoints no longer require an organization ID to be executed.
  - If you have access to a Starter or Enterprise organization ID and do not include it in your lookup API call, then the cost is deducted from your Free credit balance. Additionally, the endpoint will only return data that is available to Free users.
- Free users have access to the following API endpoints:

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]	This service is running a version of GoAnywhere Managed File Transfer software vulnerable to a deserialization vulnerability that could lead to remote code execution.	ASM risk query: risks.name: `GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]`
risk	Exposed atvremote Device	This device is running atvremote, a tool used to control TV devices over the network. It communicates with services such as AirPlay, Media Remote Protocol (MRP), and Companion API, which are designed for local network use only and should not be exposed to the public internet. If left accessible, attackers could gain unauthorized control of the TV or compromise the device as part of a botnet.	ASM risk query: risks.name: `Exposed atvremote Device`
software	atvremote	This is an atvremote server.	Platform query

Type

Name

Description

Query

risk

GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]

This service is running a version of GoAnywhere Managed File Transfer software vulnerable to a deserialization vulnerability that could lead to remote code execution.

ASM risk query:

risks.name: `GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]`

risk

Exposed atvremote Device

This device is running atvremote, a tool used to control TV devices over the network. It communicates with services such as AirPlay, Media Remote Protocol (MRP), and Companion API, which are designed for local network use only and should not be exposed to the public internet. If left accessible, attackers could gain unauthorized control of the TV or compromise the device as part of a botnet.

ASM risk query:

risks.name: `Exposed atvremote Device`

software

atvremote

This is an atvremote server.

Platform query

about 2 months ago

September 15, 2025

Summary

New Threat Hunting MCP Server to give your AI agents access to Censys Threat Hunting APIs, empowering you to find and investigate potential threats at machine speed.
Two new scanners for Crestron over IP and MikroTik WinBox.
New SAP NetWeaver AS Java and Sitecore Experience Platform risk fingerprints for ASM.

Platform

Threat Hunting Module

Use the Threat Hunting Model Context Protocol (MCP) Server to give your AI agents access to Censys Threat Hunting APIs, empowering you to find and investigate potential threats at machine speed.

New protocol and application scanners

Added scanners for the following services.

Protocol/application	Query
`CRESTRON_OVER_IP`	Platform query
`MIKROTIK_WINBOX`	Platform query

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]	SAP NetWeaver AS Java (Deploy Web Service component), versions under J2EE-APPS 7.50, is vulnerable to an insecure file operations issue. The flaw allows an attacker with non-administrative authenticated access to upload arbitrary files through the deployment web service. Once an uploaded file is executed, the attacker may achieve full system compromise.	ASM risk query: risks.name: `Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]`
risk	Vulnerable Sitecore Experience Platform [CVE-2025-53690]	Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions through 9.0.2 are affected by a critical deserialization vulnerability tracked as CVE-2025-53690. This vulnerability allows remote attackers to inject arbitrary code through deserialization of untrusted data, potentially leading to remote code execution.	ASM risk query: risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-53690]`

Type

Name

Description

Query

risk

Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]

SAP NetWeaver AS Java (Deploy Web Service component), versions under J2EE-APPS 7.50, is vulnerable to an insecure file operations issue. The flaw allows an attacker with non-administrative authenticated access to upload arbitrary files through the deployment web service. Once an uploaded file is executed, the attacker may achieve full system compromise.

ASM risk query:

risks.name: `Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]`

risk

Vulnerable Sitecore Experience Platform [CVE-2025-53690]

Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions through 9.0.2 are affected by a critical deserialization vulnerability tracked as CVE-2025-53690. This vulnerability allows remote attackers to inject arbitrary code through deserialization of untrusted data, potentially leading to remote code execution.

ASM risk query:

risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-53690]`

about 2 months ago

September 8, 2025

Summary

Added the ability to log in to the Platform using Google.
One new fingerprint for Cisco Secure Firewall Management Center.

Platform

Added the ability to log in to the Platform using Google.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software	Cisco Secure Firewall Management Center	This is a Cisco Secure Firewall Management Center.	Platform query

about 2 months ago

September 2, 2025

Summary

Cloud CDN Identification for ASM to map CDN presence in your attack surface.
One new ASM risk for Citrix Netscaler.

ASM

Use Cloud CDN Identification with ASM Cloud Connectors to understand CDN presence in your attack surface.
- Cloud CDN Identification finds Azure Front Door CDN and AWS CloudFront software and reports it in the software data provided for host services and web entity instances. You can search for these Cloud CDNs in your inventory by performing a full-text search for the applicable service (such as "CloudFront" or "Front Door") or by searching for the product name in host.services.software.product or web_entity.instances.software.product.
- All newly set up Azure and AWS Cloud Connectors will ingest cloud CDN information by default. Customers with existing Azure and AWS Cloud Connector configurations need to manually update their Cloud Connectors to begin ingesting this data. To update your Cloud Connector to ingest Cloud CDN data:
  1. In the ASM web console, go to Integrations, find your Cloud Connector integration, and click Manage.
  2. In the configuration panel, click Edit Configuration, then click Next Step. Click Next Step again.
  3. Click Close. Your Cloud Connector is now updated.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
risk	Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]	This device is vulnerable to multiple critical CVEs: CVE-2025-7775 (memory overflow leading to pre-authentication remote code execution and DoS), CVE-2025-7776 (memory overflow causing unpredictable behavior and DoS), and CVE-2025-8424 (improper access control on management interface). These vulnerabilities have been actively exploited in the wild since June 2025.	ASM query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]`

Type

Name

Description

Query

risk

Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]

This device is vulnerable to multiple critical CVEs: CVE-2025-7775 (memory overflow leading to pre-authentication remote code execution and DoS), CVE-2025-7776 (memory overflow causing unpredictable behavior and DoS), and CVE-2025-8424 (improper access control on management interface). These vulnerabilities have been actively exploited in the wild since June 2025.

ASM query:

risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]`

2 months ago

August 25, 2025

Summary

New historical hosts for a certificate API endpoint.
Several enhancements for the Investigation Manager to make it easier to create, navigate, and pivot from investigations.
A new fingerprint for N-able N-central.
Two new risks for ASM.

Platform

Threat Hunting

Use the get host history for a certificate API to retrieve the historical observations of hosts associated with a certificate. This is useful for threat hunting, detection engineering, and timeline generation.

Investigation Manager

Added the ability to create investigations directly from host, certificate, web property, and collection pages.
Added an asset node details card for hosts that includes geographic location, labels, reverse and forward DNS, service ports and protocols, and more contextual data. This card appears when you click on host nodes in the investigation manager UI.
Added a minimap to the bottom right corner of the investigation UI to make it easier to navigate your investigations.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Plex Warns Users to Patch Security Vulnerability in Plex Media Server
- Use the following queries to find Plex Media Server login portals. Not all of these are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	WDBRPC Service Exposed	This service is running WDBRPC (VxWorks WDB Remote Proceudre Call), a debugging protocol used by VxWorks real-time operating systems. WDB enables remote debugging, memory access, and system control of embedded devices. Exposure allows attackers to read/write system memory, execute arbitrary code, access sensitive data, or completely compromise the embedded system.	ASM query: risks.name: `WDBRPC Service Exposed`
risk	Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]	This is a service running a version of N-able N-central that is vulnerable to CVE-2025-8875 and CVE-2025-8876.	ASM query: risks.name: `Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]`
software	N-able N-central	This is an N-able N-central Remote Monitoring & Management solution.	Platform query

Type

Name

Description

Query

risk

WDBRPC Service Exposed

This service is running WDBRPC (VxWorks WDB Remote Proceudre Call), a debugging protocol used by VxWorks real-time operating systems. WDB enables remote debugging, memory access, and system control of embedded devices. Exposure allows attackers to read/write system memory, execute arbitrary code, access sensitive data, or completely compromise the embedded system.

ASM query:

risks.name: `WDBRPC Service Exposed`

risk

Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]

This is a service running a version of N-able N-central that is vulnerable to CVE-2025-8875 and CVE-2025-8876.

ASM query:

risks.name: `Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]`

software

N-able N-central

This is an N-able N-central Remote Monitoring & Management solution.

Platform query