6 days ago

May 18, 2026

Summary

Use the new Google SecOps SOAR and Palo Alto Cortex XSOAR/XSIAM Platform integrations to bring Censys internet intelligence into your SOC workflows.
Added several new fingerprints to the Platform and one new risk fingerprint for vulnerable Exim Server [CVE-2026-45185] to ASM.

Platform

Use the new Google SecOps SOAR and Palo Alto Cortex XSOAR/XSIAM Platform integrations to bring Censys internet intelligence into your SOC workflows.
- Each of these integrations features actions that you can use to manually or automatically enrich IPs, domains, and certificates with Censys data.
- You can also retrieve host history, execute rescans, and initiate CensEye automated pivoting jobs directly from the integration.

New fingerprints and risks

Added the following fingerprints and risk.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

New fingerprints

Name	Description	Query
enteliWEB	Web-based building automation and energy management platform by Delta Controls for monitoring and controlling HVAC and BAS systems.	Platform query
eBMgr	Delta Controls' eBMgr is an enterprise building management server that centralizes control of multiple BACnet-based building automation networks.	Platform query
enteliTOUCH	Touchscreen operator display by Delta Controls for local interaction with building automation controllers.	Platform query
ELNet MC Building Automation Controller	ELNet MC is a building automation controller used for energy monitoring and management in commercial facilities.	Platform query
FastAPI	FastAPI is a modern, high-performance Python web framework for building APIs with automatic OpenAPI documentation.	Platform query
FortiAnalyzer	FortiAnalyzer is Fortinet's centralized logging, analysis, and reporting platform for network security events.	Platform query
FortiGate	FortiGate is Fortinet's flagship next-generation firewall and unified threat management appliance.	Platform query
Glances	Glances is an open-source cross-platform system monitoring tool with a web interface for real-time resource visibility.	Platform query
GLPI	GLPI is an open-source IT asset management and helpdesk system used for inventory tracking and service management.	Platform query
Versatile Routing Platform	Huawei's Versatile Routing Platform (VRP) is the underlying operating system powering Huawei routers and switches.	Platform query
HG8045H	The HG8045H is a Huawei GPON optical network terminal (ONT) commonly deployed in residential fiber-to-the-home installations.	Platform query
FusionAccess	FusionAccess is Huawei's virtual desktop infrastructure (VDI) solution for delivering cloud-hosted desktop environments.	Platform query
Fireware	Fireware is the operating system running on WatchGuard Firebox network security appliances.	Platform query
Fireware XTM	Fireware XTM is the legacy WatchGuard security appliance OS for the Extensible Threat Management (XTM) product line.	Platform query
IP Camera	AVTECH IP cameras are network-connected surveillance cameras with a web management interface, historically associated with multiple critical vulnerabilities.	Platform query
Blue Iris	Blue Iris is a Windows-based video surveillance software platform for managing IP cameras and recording streams.	Platform query
Browserless	Browserless is a headless Chrome-as-a-service platform that enables remote browser automation via a web API.	Platform query
Cacti	Cacti is an open-source network monitoring and graphing tool built on RRDTool for polling and visualizing performance metrics.	Platform query
PlantVisor	PlantVisor is CAREL's HVAC/R supervisory software for monitoring and managing refrigeration and climate control systems.	Platform query
pCOWeb	pCOWeb is CAREL's Ethernet gateway card that provides web-based remote access to pCO HVAC controllers.	Platform query
CrushFTP Web Interface	CrushFTP's web interface provides browser-based access to its enterprise file transfer server for managing files and users.	Platform query
Darkstat	Darkstat is a lightweight network traffic analyzer that captures packets and exposes usage statistics via a built-in web interface.	Platform query

New risks

Name	Description	Query
Vulnerable Exim Server [CVE-2026-45185]	This Exim mail server is running version 4.97 through 4.99.2, which is affected by CVE-2026-45185, an unauthenticated remote code execution vulnerability in the BDAT (CHUNKING) body parsing path.	risks.name:`Vulnerable+Exim+Server+[CVE-2026-45185]`

13 days ago

May 11, 2026

Summary

You can now use tags and comments on assets in the Censys Platform to categorize, track, and collaborate on investigations.
Quickly understand domain-to-host relationships, analyze infrastructure changes over time, and review extensive DNS records using Censys Active DNS.
New endpoint hash observation history API endpoint for Adversary Investigation module users.
Two new Censys ARC Rapid Response advisories.
Added four new fingerprints. Added two new risks for ASM.

Platform

You can apply custom tags and comments to assets in the Censys Platform for categorization, reference, review, and many other purposes.
- Tags can also be managed via the API.
- Tags and comments are available to users on Censys Starter, Censys Search, and Censys Enterprise plans.

Quickly understand domain-to-host relationships, analyze infrastructure changes over time, and review extensive DNS records using Censys Active DNS.
- You can use Censys Active DNS to:
  - View current and historical A, AAAA, CNAME, MX, NS, SOA, and TXT records for a domain. Records are resolved directly by Censys approximately every 24 hours.
  - Analyze domain infrastructure changes and timelines. See exactly when a domain changed from one IP or another, how long it persisted, and what ran there.
  - Instantly pivot from any domain to its host IP, open services, threats, certificates, and more. You can also pivot in the other direction from a host IP to see all domains that have ever been present on it.
- Active DNS is a beta feature available to Censys Enterprise customers.

Adversary Investigation

Use the get endpoint observation history for a host API endpoint to retrieve historical endpoint-level hash observations for a host.
- This action returns time frames during which Censys observed host service endpoint body, favicon, and banner hash values.

Censys ARC Rapid Response

The Censys ARC team published information about the following issues.

May 5 Advisory: Progress MOVEit Automation Authentication Bypass [CVE-2026-4670]
May 7 Advisory: Palo Alto PAN-OS User-ID Authentication Portal Buffer Overflow [CVE-2026-0300]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.

New fingerprints and risks

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

New fingerprints

Name	Description	Query
OpenEMR	This is an OpenEMR electronic health record and practice management application, used by clinics and healthcare organizations for clinical documentation and patient care workflows.	Platform query
Argo CD	Argo CD is a continuous delivery tool for Kubernetes.	Platform query
MetInfo CMS	MetInfo is an open-source content management system (CMS).	Platform query
FRITZ!Box	FRITZ!Boxes are residential gateway devices.	Platform query

New risks

Name	Description	Query
Vulnerable n8n [CVE-2026-42233]	This service is running a vulnerable version of n8n affected by CVE-2026-42233, a critical SQL injection flaw in the Oracle Database node select operation. Unsanitized Limit-field input can alter SQL queries and expose data from connected Oracle databases.	risks.name: `Vulnerable n8n [CVE-2026-42233]`
Vulnerable Apache HTTP Server [CVE-2026-23918]	The affected Apache HTTP Server is running a version potentially vulnerable to CVE-2026-23918, a double free in the HTTP/2 protocol handler triggered on early connection reset. On servers with HTTP/2 enabled, this may allow a remote attacker to achieve remote code execution.	risks.name: `Vulnerable Apache HTTP Server [CVE-2026-23918]`

20 days ago

May 4, 2026

Summary

Added 7 new fingerprints for VPNs, network devices, and Xinference.
One new Censys ARC Rapid Response advisory for cPanel and WHM Authentication Bypass Allow Remote Admin Access [CVE-2026-41940].

Censys ARC Rapid Response

The Censys ARC team published information about and queries for the following issue.

April 30 Advisory: cPanel and WHM Authentication Bypass Allow Remote Admin Access [CVE-2026-41940]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

New fingerprints

Name	Description	Query
Fortinet FortiGate SSL VPN	This is Fortinet FortiGate SSL VPN for remote user access to protected networks.	Platform query
NoobzVPN	This is a NoobzVPN server, a VPN tunneling product from Noobz-ID used for encrypted remote access and traffic relay.	Platform query
Pritunl	This is a Pritunl server, an open-source VPN and Zero Trust gateway application.	Platform query
Sophos SSL VPN	This is a Sophos appliance exposing an SSL VPN remote access portal.	Platform query
Cudy Router	This is a Cudy Home and Small Business Router.	Platform query
Cisco PIX Firewall	This is a Cisco PIX Firewall server, a legacy dedicated hardware appliance from the PIX 500 series used for network perimeter security.	Platform query
Xinference	This is a Xorbits Xinference server, an open-source platform for running and integrating LLMs, embedding models, and multimodal models on premises or in the cloud.	Platform query

27 days ago

April 27, 2026

Summary

Added a new scanner for MCP (Model Context Protocol) endpoints.
Use role aware insights for the Censys Assistant to tailor responses based on your security needs.
Added one new fingerprint for Cobwebs Trapdoor.

Platform

Added a new scanner for MCP (Model Context Protocol) endpoints to retrieve deep, actionable data for web-exposed applications leveraging MCP.
- This data includes:
  - MCP tools
  - MCP prompts
  - MCP resources
- Deep application scanner data is available to Censys Search and Censys Enterprise users.
When analyzing internet infrastructure, a reactive defender like a SOC analyst has different goals than a proactive defender, like a vulnerability analyst. Role aware insights for the Censys Assistant provide you with context that transforms generic responses into role-tailored insights.

New fingerprints

Added the following fingerprint.

New fingerprints

Name	Description	Query
Cobwebs Trapdoor	Cobwebs Trapdoor is a phishing and social engineering platform.	Platform query

about 1 month ago

April 20, 2026

Summary

Use the Censys Assistant in ASM to input questions in a natural language and obtain answers based on the assets present in your attack surface inventory.
Added new fingerprints for Nginx UI, Oracle WebLogic Server Administration Console, and Pi-Hole.
Added two new ASM risk fingerprints for exposed Nginx UI applications and exposed Oracle WebLogic Server administration consoles.

ASM

Use the Censys Assistant in ASM to input questions in a natural language and obtain answers based on the assets present in your attack surface inventory.
- Prompt the assistant with input like:
  - Whether any of your assets are vulnerable to a specific CVE.
  - Aggregate and analyze the cloud providers are present in your inventory.
  - Find services running on nonstandard ports.
- To use the Censys Assistant in ASM, your organization must be migrated to the Platform for team management. Contact your Censys representative to learn more about migrating.

New fingerprints and risks

Added the following fingerprints and risks.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

New fingerprints

Name	Description	Query
Nginx UI	Nginx UI (nginx-ui) is a browser-based control panel for managing nginx configuration and runtime.	Platform query
Oracle WebLogic Server Administration Console	This is the Oracle WebLogic Server Administration Console web interface.	Platform query
Pi-hole	Pi-hole is a Linux network-level advertisement and internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server.	Platform query

New ASM risks

Name	Description	Query
Exposed Nginx UI Application	This service exposes Nginx UI, a web admin panel for nginx that can reveal configuration and permit changes if access controls are weak.	ASM risk query: `risks.name: "Exposed Nginx UI Application"`
Exposed Oracle WebLogic Server Administration Console	The Oracle WebLogic Server Administration Console is reachable over HTTP. This management UI controls the application server and related resources. Exposing it to the Internet increases unauthorized access and attack risk.	ASM risk query: `risks.name: "Exposed Oracle WebLogic Server Administration Console"`

Name

Description

Query

Exposed Nginx UI Application

This service exposes Nginx UI, a web admin panel for nginx that can reveal configuration and permit changes if access controls are weak.

ASM risk query:

risks.name: "Exposed Nginx UI Application"

Exposed Oracle WebLogic Server Administration Console

The Oracle WebLogic Server Administration Console is reachable over HTTP. This management UI controls the application server and related resources. Exposing it to the Internet increases unauthorized access and attack risk.

ASM risk query:

risks.name: "Exposed Oracle WebLogic Server Administration Console"

about 1 month ago

April 13, 2026

Summary

Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset.
One new Censys ARC Rapid Response advisory for improper access control vulnerability in Fortinet FortiClient EMS [CVE-2026-35616].
Added new fingerprints for handlebars.js and several SIP and VoIP services.
Added two new ASM risk fingerprints for vulnerable Handlebars.js [CVE-2026-33937] and vulnerable FortiClient EMS [CVE-2026-35616].

Platform

Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset. This score enables you to prioritize alerts with IP indicators faster and perform triage and analysis more effectively with a transparent and consistent scoring methodology.
- Reputation scores and their attendant data are only available to Censys Enterprise users. Additional score context data is available to Censys Enterprise users with access to the Adversary Investigation module. See the documentation for more information.

Censys ARC Rapid Response

The Censys ARC team published information about and queries for the following issue.

April 7 Advisory: Improper Access Control Vulnerability in Fortinet FortiClient EMS [CVE-2026-35616]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.

New fingerprints and risks

Added the following fingerprints and risks.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

New fingerprints

Name	Description	Query
handlebars.js	This asset embeds the Handlebars.js JavaScript templating library.	Platform query
Cisco Expressway	Cisco Expressway is a collaboration gateway that provides firewall-traversal technology for voice, video, content, and instant messaging.	Platform query
Sangoma Asterisk	Sangoma Asterisk is an open-source communications framework for building Voice over Internet Protocol Private Branch Exchange (VoIP PBX) systems, voicemail, and conferencing.	Platform query
Sangoma Certified Asterisk	Sangoma Certified Asterisk is a specialized version of Asterisk designed for enterprise environments requiring high reliability and support.	Platform query
Sangoma FreePBX	FreePBX is a web-based open-source GUI for controlling and managing Asterisk.	Platform query
STARFACE	STARFACE is a Session Initiation Protocol (SIP) trunking service and IP-based telephony solution.	Platform query
Wildix Media Gateway	Wildix Media Gateway is a device that bridges traditional telephony lines (analog, PRI, BRI, GSM/LTE) with the Wildix VoIP PBX system.	Platform query

New ASM risks

Name	Description	Query
Vulnerable Handlebars.js [CVE-2026-33937]	This service is using a version of Handlebars.js (4.0.0–4.7.8) vulnerable to CVE-2026-33937, a critical server-side remote code execution vulnerability. Handlebars.compile() emits the value field of a NumberLiteral AST node directly into generated JavaScript without sanitization. An attacker who controls the AST passed to compile() can inject and execute arbitrary JavaScript in any Node.js application that passes user-controlled input to compile().	ASM risk query: `risks.name: "Vulnerable Handlebars.js [CVE-2026-33937]"`
Vulnerable FortiClient EMS [CVE-2026-35616]	This is an exposed FortiClient EMS instance prone to an improper access control vulnerability that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.	ASM risk query: `risks.name: "Vulnerable FortiClient EMS [CVE-2026-35616]"`

Name

Description

Query

Vulnerable Handlebars.js [CVE-2026-33937]

This service is using a version of Handlebars.js (4.0.0–4.7.8) vulnerable to CVE-2026-33937, a critical server-side remote code execution vulnerability. Handlebars.compile() emits the value field of a NumberLiteral AST node directly into generated JavaScript without sanitization. An attacker who controls the AST passed to compile() can inject and execute arbitrary JavaScript in any Node.js application that passes user-controlled input to compile().

ASM risk query:

risks.name: "Vulnerable Handlebars.js [CVE-2026-33937]"

Vulnerable FortiClient EMS [CVE-2026-35616]

This is an exposed FortiClient EMS instance prone to an improper access control vulnerability that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

ASM risk query:

risks.name: "Vulnerable FortiClient EMS [CVE-2026-35616]"

about 2 months ago

April 6, 2026

Summary

Added 19 new fingerprints for SSL VPNs, operating systems, and several other products and services.

New fingerprints

Added the following fingerprints.

Name	Description	Query
ALEOS	This is an ALEOS operating system for Sierra Wireless devices.	Platform query
Stormshield SSL VPN	This is a Stormshield SSL VPN server.	Platform query
SonicWall Virtual Office	This is a SonicWall Virtual Office SSL VPN server.	Platform query
SonicWALL Pro	This is a SonicWALL Pro series firewall (covers Pro 100, Pro 200, and so on).	Platform query
SonicWALL NSSP	This is a SonicWALL NSSP (Network Security Services Platform) device.	Platform query
Leadsec SSL VPN	This is a Leadsec SSL VPN server.	Platform query
KobzVPN	This is a KobzVPN server.	Platform query
Juniper NSM	This is a Juniper NSM (Network and Security Manager) server, covering NSM3000 and NSM Express.	Platform query
Huawei SSL VPN	This is a Huawei SSL VPN server.	Platform query
DPtech SSL VPN	This is a DPtech SSL VPN server.	Platform query
Citrix SD-WAN	This is a Citrix SD-WAN server.	Platform query
Citrix Access Gateway	This is a Citrix Access Gateway server.	Platform query
Cisco StarOS	This is a Cisco StarOS utility server.	Platform query
Cisco IOS XR	This is a Cisco IOS XR operating system, commonly found on routers.	Platform query
Cisco Cloud Services Router 1000v	This is a Cisco Cloud Services Router 1000v.	Platform query
Cisco AnyConnect Secure Mobility Client	This is a Cisco AnyConnect Secure Mobility Client (SSL VPN) server.	Platform query
Check Point SSL Network Extender	This is a Check Point SSL Network Extender server.	Platform query
Check Point Harmony SASE	This is a Check Point Harmony SASE server.	Platform query
Barracuda SSL VPN	This is a Barracuda SSL VPN server.	Platform query

about 2 months ago

March 30, 2026

Summary

Use new Platform Threat Hunting CensEye APIs to create pivot analysis jobs to find web infrastructure related to threats and other assets.
Run queries for new security advisories published the Censys ARC team directly from the Platform home page.
You can now view interactive demos of data add-on modules in the Platform web console.
One new Rapid Response advisory for Citrix NetScaler ADC and Gateway out-of-bounds read vulnerability [CVE-2026-3055].

Platform

Run queries for trending security advisories published the Censys ARC team directly from the Platform home page.
- ARC, Censys' cybersecurity research team, frequently releases new advisories and queries for trending security issues. These are shown in a carousel under the search bar. Use these queries to track important issues and learn how to build your own targeted searches. Most of these queries utilize data that is available to Free users, but sometimes they will use regex or other entitled fields.
You can now view interactive demos of data add-on modules in the Platform web console. Use the left navigation bar to view demos for the Adversary Investigation and Critical Infrastructure modules.

Adversary Investigation

Use new CensEye APIs to create pivot analysis jobs to find web infrastructure related to threats and other assets.
- The new pivot analysis job endpoint extracts default pivot fields from the target asset and counts matching documents for each field-value pair. This is similar to using CensEye in the Platform web UI.
- The other two new endpoints can be used to check job status and retrieve job results.

Rapid Response

The Censys ARC team published information about and queries for the following issue.

March 26 Advisory: Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability [CVE-2026-3055]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.

2 months ago

March 23, 2026

Summary

Use the new Censys for Splunk SOAR and Censys for Splunk Platform integrations to enhance your SOC workflows with Censys data enrichment and playbook actions.
Two new Censys ARC Rapid Response advisories for pre-authentication RCE vulnerability in GNU Inetutils Telnetd [CVE-2026-32746] and Ubiquiti UniFi network application remote path traversal vulnerability [CVE-2026-22557].
The name of the "Explore Threats" page in the Platform UI has been changed to "Tracked Threats."
Added one new fingerprint for NetBox and two new ASM risks.

Platform

Use the new Censys for Splunk SOAR and Censys for Splunk Platform integrations to enhance your SOC workflows with Censys data enrichment and playbook actions.
- These integrations include several ad hoc enrichment actions for hosts, web properties, and certificates that can be used on an ad hoc basis or used for automated enrichment.
- Watch this video to learn more about how to use the Splunk SOAR application.
The name of the "Explore Threats" page in the Platform UI has been changed to "Tracked Threats."

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

March 18 Advisory: Pre-Authentication RCE Vulnerability in GNU Inetutils Telnetd [CVE-2026-32746]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.
March 19 Advisory: Ubiquiti UniFi Network Application Remote Path Traversal Vulnerability [CVE-2026-22557]
- The following queries can be used to identify exposed instances. Not all of these services are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

Type	Name	Description	Query
hardware	NetBox	NetBox is an open-source DCIM and IPAM tool for managing network infrastructure.	Platform query
risk	Exposed FortiAnalyzer Application	An HTTP service is exposing a Fortinet FortiAnalyzer application. FortiAnalyzer is a centralized logging and reporting solution that aggregates security and traffic data from FortiGate and other Fortinet devices. Exposing this management interface to the internet can allow unauthorized access to sensitive network and security analytics.	ASM risk query: `risks.name: "Exposed FortiAnalyzer Application"`
risk	Exposed NetBox Application	A NetBox application is exposed to the internet. NetBox is a DCIM and IPAM tool that manages network infrastructure, IP allocations, and device inventories. Exposure may allow unauthorized access to sensitive network topology and infrastructure data.	ASM risk query: `risks.name: "Exposed NetBox Application"`

Type

Name

Description

Query

hardware

NetBox

NetBox is an open-source DCIM and IPAM tool for managing network infrastructure.

Platform query

risk

Exposed FortiAnalyzer Application

An HTTP service is exposing a Fortinet FortiAnalyzer application. FortiAnalyzer is a centralized logging and reporting solution that aggregates security and traffic data from FortiGate and other Fortinet devices. Exposing this management interface to the internet can allow unauthorized access to sensitive network and security analytics.

ASM risk query:

risks.name: "Exposed FortiAnalyzer Application"

risk

Exposed NetBox Application

A NetBox application is exposed to the internet. NetBox is a DCIM and IPAM tool that manages network infrastructure, IP allocations, and device inventories. Exposure may allow unauthorized access to sensitive network topology and infrastructure data.

ASM risk query:

risks.name: "Exposed NetBox Application"

2 months ago

March 16, 2026

Summary

Added new fingerprints for several remote monitoring and management (RMM) tools and Datto SIRIS.
Added new protocol and application scanners for Anerma CF Forth, ICAP, and STUN.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Datto RMM	Datto RMM is a cloud-based tool used for remote monitoring and management (RMM).	Platform query
software	Datto SIRIS	Datto SIRIS is a business continuity and disaster recovery (BCDR) tool designed for MSPs.	Platform query
software	Atera	Atera is an RMM tool.	Platform query
software	SimpleHelp	SimpleHelp is an RMM tool.	Platform query
software	Splashtop	Splashtop is an RMM tool.	Platform query
software	Zoho Assist	Zoho Assist is an RMM tool.	Platform query

New protocols and application scanners

Added support for the following protocols and applications.

Protocol/application	Query	Data availability
`ANERMA_CF_FORTH`	Platform query	Data is only visible and searchable to users with access to the Critical Infrastructure module.
`ICAP`	Platform query	Data is visible to and searchable by Starter, Core, and Enterprise users.
`STUN`	Platform query	Data is visible to Starter users and is visible to and searchable by Core and Enterprise users.