Summary

• The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation. See below for more details.
• Use the new Search History page in the Platform web UI to review your search activity over the past seven days.
• Added a protocol scanner for Gemini, an application-layer internet communication protocol for accessing remote documents.
• New fingerprints for TiVo DVRs, Gitea instances, Gogs instances, and a new ASM risk for exposed Ollama applications.
• One new Rapid Response advisory for Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass [CVE-2026-20127].

Platform UI updates

The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation.

Left-side navigation panel

• The organization you are currently logged into is displayed in the top of the left-side nav bar. Switch to your Free account or another organization and access your organizational and personal settings from the organization drop-down.
  • Open the account selector menu, select your account or organization, and click the credits section to go to the Credit Management page.
• Access to search and the dashboards for the Threat Hunting and Critical Infrastructure modules is now located in the Intelligence section of the left-side nav bar.
• The My Work section contains your collections, a link to the Investigation Manager, and your search history.
• The Resources section includes links to the Release Notes feed, the Censys Community. Additional resources like the Censys Academy and Data Definitions are nested under Learn in this section.

Alerts and Notifications

• Access webhook configuration by clicking the bell icon for Alerts and Notifications in the top-right corner.

Personal Access Tokens, account management, and more

• Create and manage Personal Access Tokens (PATs), manage your account, and switch between light and dark mode using the profile menu in the top right corner.

Platform Search History page

• The new Search History page in the Platform web console records all of the searches you ran in the Platform UI over the previous 7 days.

New protocols and application scanners

Added support for the following protocol.

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: "Exposed Ollama Application"

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• February 27 Advisory: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass [CVE-2026-20127]
  • The following queries can be used to identify exposed SD-WAN Manager instances.
    • Platform query
    • ASM query
    • Legacy Search query

As part of the plan to decommission Legacy Search (search.censys.io) in 2026, Censys will update its host data backend on March 28, 2026. In Legacy Search, this will result in changes to virtual host behavior, data freshness, select API fields, and other minor adjustments. These changes are described in detail below.

These changes do not remove host coverage from Legacy Search. Additionally, this change does not affect Platform (platform.censys.io) data or functionality.

Overall host coverage, scan cadence, historical data retention, existing functionality, query syntax, UI workflows, and entitlements in Legacy Search are not impacted.

Virtual hosts

The table below summarizes key changes to virtual host data after the change.

Data freshness

• Expiration is changing to 14 days (previously 45 days).
• Index updates will occur only when a scan for that IP is received.
• The "See Latest" UI indication may appear more often.
• In general, there will be less long-lived stale data.

API and service lifecycle changes

• Timeline API: Forward pagination will be removed. API users must set reversed=true.
• Service lifecycle: Services pending removal will be immediately removed from assets when a scan indicates they are no longer visible, instead of being marked as pending.

Removed fields

The following fields will be removed from Legacy Search:

• services.parsed.rocketmq.version (RocketMQ)
• services.ipp.response (IPP)
• services.ipp.cups_response (IPP)
• services.elasticsearch.http_info (Elasticsearch)
• services.tls.server_key_exchange (TLS)
• services.prometheus.http_info (Prometheus)
• services.transport_fingerprint.* (Transport)

DNS records

• dns.records.record_type will no longer return CNAME.
• Record types will be limited to A and AAAA only.

Certificate API update frequency

The update frequency for the following APIs will change from realtime to every six hours:

• /v2/hosts/{ip}/certificates
• /v2/certificates/{fingerprint}/observations

We encourage you to review your workflows and integrations to prepare for these upcoming changes. If you have any questions or concerns about this transition, please reach out to our team at [email protected].

Summary

• Added eight new scanners for Cisco NSI, Flash Socket Policy, Melsec, Memberlist, RouterOS API, Rustdesk Heartbeat, Rustdesk Relay, and Rustdesk Rendezvous.
• Added one new ASM risk fingerprint for exposed NextGen Healthcare Mirth Connect interfaces.

New protocols and application scanners

Added support for the following protocols and applications.

New fingerprints

Added the following fingerprint.

Note that new ASM risk fingerprints may be disabled by default in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name: "Exposed NextGen Healthcare Mirth Connect"

Summary

• Updated how web properties with multiple endpoints are displayed in the Platform web UI. They are now collected on a single hostname and port card instead of split across multiple cards.
• Redirect chains, including start and end points, are now shown on host service and web endpoint cards in the Platform web UI.
• Three new fingerprints for macOS, FortiClient EMS, and QuestDB.
• One new Rapid Response advisory and queries for BeyondTrust Remote Support and Privileged Remote Access Flaw Allows Pre-Authentication RCE [CVE-2026-1731].

Platform

• To improve usability, when web properties have multiple endpoints they are now collected on a single hostname and port card instead of split across multiple cards.

  

• Redirect chains are now shown on host service and web endpoint cards.

  

New fingerprints

Added the following fingerprints.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• February 10 Advisory: BeyondTrust Remote Support and Privileged Remote Access Flaw Allows Pre-Authentication RCE [CVE-2026-1731]
  • The following queries can be used to identify exposed BeyondTrust Remote Support and Privileged Remote Access instances. Not all of these services are necessarily vulnerable.
    • Platform query
    • ASM query
    • Legacy Search query

Summary

• Use the new Platform threat history API endpoints to retrieve the history of any threats present on a host or web property.
• Free and Starter users can now delete their Platform accounts from the web app.
• Added new fingerprints for eight different VPNs, Wordpress, and Odoo.

Platform

• Free and Starter users can now delete their accounts from within the Platform web UI.

Threat Hunting

• Platform Threat Hunting users can use the new Platform threat history API endpoints to obtain the history of any threats present on a host or web property.
  • You can define a specific time frame of interest for each of these endpoints. If you do not specify a time frame, this endpoint will search the historical dataset that is available to your account.

New fingerprints

Added the following fingerprints.

Summary

• Use the new Service History timeline on host records in the Platform to quickly understand service history, persistence, anomalies, and other points of interest.
• Use new HTTP redirect data in the Platform to identify misconfigurations, relationships, and more.
• You can now use the Censys Assistant to quickly generate human-readable summaries of certificates and web properties in the Platform web UI.
• Version 1.0 of the cencli Platform command line tool was released. It includes more useful short outputs, org commands for organization details, and support for streaming output.
• Added new risk fingerprints for exposed OpenClaw interfaces, exposed EIP services, exposed CODESYS services, exposed MCP inspector services, and SmarterMail instances vulnerable to CVE-2026-23760 to ASM.
• Added one new software fingerprint for OpenClaw.

Platform

• The new Service History timeline on host records is a visualization of service presence over time broken down by protocol and port pairs. Use it to quickly understand service history, persistence, anomalies, and other points of interest.

  

• Added several parsed data fields for HTTP redirect chains to hosts and web properties.

  • Use this data to map relationships, identify misconfigurations, find parked domains, locate abandoned infrastructure, and more. For example, run web.endpoints.http.redirect_chain.hostname="censys.com" to find web properties that redirect to censys.com.

  • Redirect data is provided in the following fields.

    Field	Description
    [host.services or web].endpoints.http.redirect_chain	The nested object that contains redirect chain data.
    *.endpoints.http.redirect_chain.reason	The reason for the redirect. Can be HTTP_3XX, REFRESH_HEADER, or UNRECOGNIZED.
    *.endpoints.http.redirect_chain.transport_protocol	The transport protocol used for the redirect.
    *.endpoints.http.redirect_chain.hostname	The hostname that the redirect points to.
    *.endpoints.http.redirect_chain.path	The path that the redirect points to, like /, /login, /admin, and so on.
    *.endpoints.http.redirect_chain.port	The port that the redirect points to.

  • Redirect data is visible to and searchable by users on the Core and Enterprise plans. Redirect data is visible to Starter and Free users, but they cannot search across it.

• You can now use the Censys Assistant to quickly generate human-readable summaries of certificates and web properties in the Platform web UI.

• Version 1.0 of the cencli command line tool was released. It includes:

  • The option to retrieve informative and conciseshort outputs for numerous commands.
  • New org commands to view organization details including credits, members, and organization information.
  • Support for streaming output, allowing you to fetch large amounts of data without performance issues.

New fingerprints

Added the following fingerprints.

Note that new ASM risk fingerprints may be disabled in your workspace. Reference your risk type configuration in the ASM web console to review new risk types.

risks.name= `Exposed OpenClaw Interface`

risks.name= `EIP (EtherNet/IP) Service Exposed`

risks.name= `CODESYS Service Exposed`

risks.name="Exposed MCP Inspector"

risks.name="Vulnerable SmarterMail [CVE-2026-23760]"

Summary

• Use the new cloud asset context in ASM to help you identify asset ownership for easier remediation. This contextual metadata is retrieved for all assets sourced from the AWS, GCP, and Azure Cloud Connectors and the Wiz integration.
• You can now obtain your Platform organization ID from the Account Management page in the Platform web console.
• Added three new software fingerprints for TorGuard VPN servers, Nessus Vulnerability Scanners, and Scope Sentry.

ASM

• Use cloud asset context in ASM to help you identify asset ownership for easier remediation.

  
  • You can see the context data for an asset by clicking the linked text in the Source column in the Inventory table view in the ASM web console.
  • Contextual metadata is retrieved for all assets sourced from the AWS, GCP, and Azure Cloud Connectors and the Wiz integration.
  • This data is shown in the ASM web console and can be queried by the inventory search API endpoint.

Platform

• You can now obtain your organization ID from the Account Management page in the Platform web console.

  1. Open the Platform web console and ensure that your organization account is selected. Go to Settings > Account Management > Personal Access Tokens.

  2. The ID for your organization is shown in the "Current Organization" box. Click Copy to copy it to your clipboard.

     

New fingerprints

Added the following fingerprints.

Summary

• The Censys Assistant AI tool is now available in the Platform web app for all users.
• Use the new audit log in the UI or API to review user and organization events for the Platform and user, organization, and workspace events for Attack Surface Management (ASM).
• Detection history is now shown on the Threats tab for hosts and web properties in the Platform web console. Use this timeline to quickly understand previous threat presence on an asset.
• Use personalized fields in the Platform web app to highlight data fields of interest in your search results.
• You can now target a time range up to 365 days with the get organization credit usage and get organization member credit usage Platform API endpoints.
• Added a Platform API endpoint to retrieve Free user credit usage information.
• Added two new ASM risk fingerprints for exposed Flowise applications and exposed Open WebUI applications.
• Added two new software fingerprints for Open WebUI and Advantech IoTSuite.

Platform

• The Censys Assistant AI tool is now available in the Platform web app for all users. Use the assistant to input questions or prompts in a natural language and obtain answers based on the assets and data present in the Censys Internet Map. Learn more about the assistant in the video below.

• Use the new audit log in the UI or API to review user and organization events for the Platform and user, organization, and workspace events for Attack Surface Management (ASM).

  
  • The Censys team has started migrating ASM customers to the Platform for organization management. Contact your Censys team representative to learn more about migrating your team.

• Use personalized fields in the Platform web app to highlight data fields of interest in your search results.

  
  • Using personalized fields does not filter your search results like the filters on the left side of the page; it simply displays your configured fields on results that have already been returned by your query.

• You can now target a time range up to 365 days with the get organization credit usage and get organization member credit usage API endpoints.

• Added an API endpoint to retrieve Free user credit usage information.

Threat Hunting

• Use the new threat history visual timeline on hosts and web properties to quickly understand previous threat presence on an asset.

  
  • Hover over a plot line to see the first observed and last observed timestamps. By default, the date range displayed is the previous 30 days. Use the date picker to adjust the displayed range.

New fingerprints

Added the following fingerprints.

risks.name: `Exposed Flowise Application`

risks.name: `Exposed Open WebUI Application`

Summary

• Added aliases for Platform threat, screenshot, SHA-1 hash, and organization data fields.
• Deployed several enhancements to the ASM web UI.
• One new software fingerprint for Coolify and one new ASM risk fingerprint for n8n services vulnerable to Ni8mare (CVE-2026-21858).
• Two new Rapid Response advisories:
  • Three Vulnerabilities in Coolify Self-Hosting Platform [CVE-2025-64424, CVE-2025-64420, CVE-2025-64419]
  • n8n Unauthenticated Remote Code Execution (NI8MARE) [CVE-2026-21858]

Platform

• Added the following aliases for Platform data fields:
  • threats
  • screenshots
  • sha1
  • org

ASM

• Several improvements to the ASM web UI were made, including:

  • The workspace selection dropdown is now on the right side of the navigation bar.

  • Icons have been added to many of the items available in the top navigation dropdowns.

  • Scan frequency information is now located at the bottom of the Resources dropdown.

  • Added links to the Integrations dropdown to see all integrations, connected integrations, available integrations, and integrations that need attention.

    

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

• Three Vulnerabilities in Coolify Self-Hosting Platform [CVE-2025-64424, CVE-2025-64420, CVE-2025-64419]
  • The following queries can be used to identify exposed Coolify instances.
    • Platform query
    • ASM query
    • Legacy Search query
• n8n Unauthenticated Remote Code Execution (NI8MARE) [CVE-2026-21858]
  • The following queries can be used to identify exposed and potentially vulnerable n8n instances.
    • Platform query
    • ASM risk query
    • Legacy Search query

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable n8n (Ni8mare) [CVE-2026-21858]`

Summary

• New software fingerprints for HPE OneView and Hack the Box.
• New ASM risk fingerprints for SmarterMail services vulnerable to CVE-2025-52691, exposed HPE OneView services, unauthenticated ZeroMQ services, and unauthenticated NATS services.
• Added support for ingesting and excluding cloud resources from the AWS ap-east-2, ap-southeast-7, and ap-southeast-6 regions when using the ASM AWS Cloud Connector.
• One new Rapid Response advisory and queries for SmarterMail CVE-2025-52691.

ASM

• ASM users can now configure their AWS Cloud Connectors to ingest or exclude cloud resources from the ap-east-2, ap-southeast-7, and ap-southeast-6 regions.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• SmarterMail Unauthenticated Arbitrary File Upload Vulnerability Allows RCE [CVE-2025-52691]
  • The following queries can be used to identify exposed and potentially vulnerable hosts.
    • Platform query
    • ASM risk query
    • Legacy Search query

New fingerprints

Added the following fingerprints.

risks.name: `Unauthenticated NATS Service`

risks.name: `Unauthenticated ZeroMQ Service`

risks.name: `Vulnerable SmarterMail [CVE-2025-52691]`

risks.name: `Exposed HPE OneView`