7 days ago

January 12, 2026

Summary

Added aliases for Platform threat, screenshot, SHA-1 hash, and organization data fields.
Deployed several enhancements to the ASM web UI.
One new software fingerprint for Coolify and one new ASM risk fingerprint for n8n services vulnerable to Ni8mare (CVE-2026-21858).
Two new Rapid Response advisories:
- Three Vulnerabilities in Coolify Self-Hosting Platform [CVE-2025-64424, CVE-2025-64420, CVE-2025-64419]
- n8n Unauthenticated Remote Code Execution (NI8MARE) [CVE-2026-21858]

Platform

Added the following aliases for Platform data fields:
- threats
- screenshots
- sha1
- org

ASM

Several improvements to the ASM web UI were made, including:
- The workspace selection dropdown is now on the right side of the navigation bar.
- Icons have been added to many of the items available in the top navigation dropdowns.
- Scan frequency information is now located at the bottom of the Resources dropdown.
- Added links to the Integrations dropdown to see all integrations, connected integrations, available integrations, and integrations that need attention.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

Three Vulnerabilities in Coolify Self-Hosting Platform [CVE-2025-64424, CVE-2025-64420, CVE-2025-64419]
- The following queries can be used to identify exposed Coolify instances.
n8n Unauthenticated Remote Code Execution (NI8MARE) [CVE-2026-21858]
- The following queries can be used to identify exposed and potentially vulnerable n8n instances.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Coolify	This is Coolify, an open-source self-hosted platform for managing servers, applications, and databases.	Platform query
risk	Vulnerable n8n (Ni8mare) [CVE-2026-21858]	This is a service running a version of n8n workflow automation platform that is vulnerable to CVE-2026-21858 (Ni8mare), a critical unauthenticated Remote Code Execution vulnerability caused by a Content-Type confusion flaw in the webhook and file handling mechanism. Attackers can exploit this by sending specially crafted HTTP requests to form-based workflows to read arbitrary files, extract credentials, forge administrator sessions, and execute arbitrary commands..	ASM risk query: risks.name: `Vulnerable n8n (Ni8mare) [CVE-2026-21858]`

Type

Name

Description

Query

software

Coolify

This is Coolify, an open-source self-hosted platform for managing servers, applications, and databases.

Platform query

risk

Vulnerable n8n (Ni8mare) [CVE-2026-21858]

This is a service running a version of n8n workflow automation platform that is vulnerable to CVE-2026-21858 (Ni8mare), a critical unauthenticated Remote Code Execution vulnerability caused by a Content-Type confusion flaw in the webhook and file handling mechanism. Attackers can exploit this by sending specially crafted HTTP requests to form-based workflows to read arbitrary files, extract credentials, forge administrator sessions, and execute arbitrary commands..

ASM risk query:

risks.name: `Vulnerable n8n (Ni8mare) [CVE-2026-21858]`

14 days ago

January 5, 2026

Summary

New software fingerprints for HPE OneView and Hack the Box.
New ASM risk fingerprints for SmarterMail services vulnerable to CVE-2025-52691, exposed HPE OneView services, unauthenticated ZeroMQ services, and unauthenticated NATS services.
Added support for ingesting and excluding cloud resources from the AWS ap-east-2, ap-southeast-7, and ap-southeast-6 regions when using the ASM AWS Cloud Connector.
One new Rapid Response advisory and queries for SmarterMail CVE-2025-52691.

ASM

ASM users can now configure their AWS Cloud Connectors to ingest or exclude cloud resources from the ap-east-2, ap-southeast-7, and ap-southeast-6 regions.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

SmarterMail Unauthenticated Arbitrary File Upload Vulnerability Allows RCE [CVE-2025-52691]
- The following queries can be used to identify exposed and potentially vulnerable hosts.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	HPE OneView	This is an HPE OneView infrastructure management platform.	Platform query
software	Hack the Box	This is a Hack the Box service or endpoint.	Platform query
risk	Unauthenticated NATS Service	A NATS messaging system is exposed without authentication. This allows unauthenticated clients to publish messages to subjects and subscribe to subjects to receive published messages, potentially exposing sensitive data or allowing unauthorized data manipulation.	ASM risk query: risks.name: `Unauthenticated NATS Service`
risk	Unauthenticated ZeroMQ Service	A ZeroMQ service is exposed without authentication. ZeroMQ services allow unauthenticated clients to connect and interact with the messaging system, which introduces a risk of unintended data exposure or manipulation.	ASM risk query: risks.name: `Unauthenticated ZeroMQ Service`
risk	Vulnerable SmarterMail [CVE-2025-52691]	This SmarterMail server is running a build version vulnerable to CVE-2025-52691, an arbitrary file upload vulnerability that allows unauthenticated attackers to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. Build versions 9406 and earlier are vulnerable.	ASM risk query: risks.name: `Vulnerable SmarterMail [CVE-2025-52691]`
risk	Exposed HPE OneView	An HPE OneView infrastructure management application is exposed to the Internet.	ASM risk query: risks.name: `Exposed HPE OneView`

21 days ago

December 29, 2025

Summary

One new Rapid Response advisory, queries, and ASM risk fingerprint for MongoBleed (CVE-2025-14847), a critical MongoDB uninitialized memory disclosure vulnerability.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

MongoBleed - Critical MongoDB Uninitialized Memory Disclosure Vulnerability [CVE-2025-14847]
- The following queries can be used to identify exposed and potentially vulnerable MongoDB instances.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
risk	MongoBleed: Vulnerable MongoDB [CVE-2025-14847]	This MongoDB server is running a version vulnerable to CVE-2025-14847 (MongoBleed), an unauthenticated memory leak vulnerability that allows remote attackers to exfiltrate sensitive data from the database server's heap memory without requiring credentials.	ASM query: `risks.name="MongoBleed: Vulnerable MongoDB [CVE-2025-14847]"`

Type

Name

Description

Query

risk

MongoBleed: Vulnerable MongoDB [CVE-2025-14847]

This MongoDB server is running a version vulnerable to CVE-2025-14847 (MongoBleed), an unauthenticated memory leak vulnerability that allows remote attackers to exfiltrate sensitive data from the database server's heap memory without requiring credentials.

ASM query:

risks.name="MongoBleed: Vulnerable MongoDB [CVE-2025-14847]"

28 days ago

December 22, 2025

Summary

New Platform API endpoints to list active threats and retrieve credit information for Free users.
One new Rapid Response advisory for CVE-2025-20393, which affects Cisco Secure Email Gateways.
One new software fingerprint for Flowise servers.

Platform

Use the get Free user credit details API endpoint to retrieve your Free user account credit balance and refresh information.

Threat Hunting

Use the list active threats API endpoint to get a list of active threats observed by Censys.
- Threats are active if their fingerprint has been identified on hosts or web properties by Censys scans.
- This endpoint is available to organizations that have access to the Threat Hunting module.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]
- The following queries can be used to identify exposed Cisco Secure Email Gateways. These are not necessarily vulnerable to this CVE. Only appliances with the Spam Quarantine feature enabled are affected. Review any exposed ESA instances in your environment to determine whether Spam Quarantine is enabled; by default, this feature is associated with TCP ports 80, 82, 83, and 6025.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software	Flowise	This is a Flowise Server.	Platform query

about 1 month ago

December 15, 2025

Summary

New Rapid Response advisory and queries for Ivanti Endpoint Manager Stored XSS Vulnerability [CVE-2025-10573].
New software fingerprints for n8n servers and Apache Tika servers.
New ASM risk fingerprints for Fortinet products vulnerable to CVE-2025-59718 and CVE-2025-59719 and Ivanti Endpoint Manager instances vulnerable to CVE-2025-10573.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Ivanti Endpoint Manager Stored XSS Vulnerability [CVE-2025-10573]
- The following queries can be used to identify exposed Ivanti EPM instances.
  - Platform query
  - Legacy Search query
- The following queries can be used to identify exposed and vulnerable Ivanti EPM instances.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	n8n Server	This is a n8n Server, an open-source workflow automation platform with AI integration.	Platform query
software	Apache Tika	This is an Apache Tika Server, a content analysis toolkit.	Platform query
risk	Vulnerable Ivanti Endpoint Manager [CVE-2025-10573]	This is a service running a version of Ivanti Endpoint Manager vulnerable to CVE-2025-10573, a critical Stored Cross-Site Scripting (XSS) vulnerability that allows a remote unauthenticated attacker to execute JavaScript in the context of an administrator's browser session, potentially leading to session hijacking and unauthorized administrative actions.	ASM query: risks.name: `Vulnerable Ivanti Endpoint Manager [CVE-2025-10573]`
risk	Vulnerable Fortinet Products [CVE-2025-59718, CVE-2025-59719]	This is a Fortinet FortiOS device running a version that is vulnerable to CVE-2025-59718 and CVE-2025-59719, an Improper Verification of Cryptographic Signature vulnerability [CWE-347] that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device.	ASM query: risks.name: `Vulnerable Fortinet Products [CVE-2025-59718, CVE-2025-59719]`

about 1 month ago

December 8, 2025

Summary

Use aliased fields in the Platform to search across multiple fields at once and quickly find relevant assets.
New Rapid Response advisories and queries for:
New software fingerprints for Waku, pgAdmin4, and Ferron web servers.
New ASM risk fingerprints for React2Shell and pgAdmin4 CVE-2025-12762.

Platform

Some fields are now grouped into aliases to make it easier to search across multiple fields at once. Aliases can be used in the Platform web UI or API. The complete list of aliases and their mapped fields is available in the documentation.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

React2Shell: Unauthenticated RCE Flaw in React Server Components [CVE-2025-55182]
- The following queries can be used to identify exposed React Server components.
Critical XXE Injection Bug in Apache Tika [CVE-2025-66516]
- The queries below can identify potentially vulnerable Tika instances.
pgAdmin4 Allows RCE via PLAIN-format Dump File Restore [CVE-2025-12762]
- The queries below can help identify potentially vulnerable pgAdmin4 instances.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Waku	This is a Waku instance.	Platform query
software	pgAdmin 4	This is a pgAdmin 4 instance, a web-based administration tool for PostgreSQL.	Platform query
software	Ferron Web Server	This is a Ferron web server.	Platform query
risk	React2Shell: Unauthenticated RCE in React Server Components [CVE-2025-55182]	This is a critical unauthenticated Remote Code Execution (RCE) flaw, dubbed "React2Shell" caused by insecure deserialization within the Flight protocol used by React Server Components. This risk broadly identifies exposed web services using RSC, but doesn't confirm vulnerability since versions are not available. Users must verify which package versions are running in their environments.	ASM query: `risks.name="React2Shell: Unauthenticated RCE, DoS, and Source Code Leakage in React Server Components [CVE-2025-55182, CVE-2025-55184, CVE-2025-67779, CVE-2025-55183]"`
risk	Vulnerable pgAdmin 4 [CVE-2025-12762]	This pgAdmin 4 server is running a version 9.9 or earlier that is vulnerable to CVE-2025-12762, a remote code execution (RCE) vulnerability. When restoring PLAIN-format dump files, an attacker can inject and execute arbitrary commands on the host, potentially leading to full system compromise of the pgAdmin host and downstream database environment.	ASM query: risks.name: `Vulnerable pgAdmin 4 [CVE-2025-12762]`

about 2 months ago

November 24, 2025

Summary

Added the ability to secure your Platform account with multi-factor authentication. Organization admins can enforce MFA for all members of their organization.
Use weekly collection digest emails to track changes to your saved Platform queries over time.
Two Rapid Response advisories for XWiki and FortiWeb issues.
Added fingerprints for Frigate NVR and XWiki and an ASM risk fingerprint for XWiki instances vulnerable to CVE-2025-24893.

Platform

You can now add another layer of security to your Platform account with multi-factor authentication (MFA) using an authenticator app.
- Configure your personal MFA settings in Settings > Account Management > Personal Settings > Security.
- Organization admins can configure MFA enforcement for their organization in Settings > Account Management > Organization Settings > Security.
Use collection email notifications to receive weekly messages about updates to your collections. Emails are sent to the email address associated with your user account.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

XWiki Platform Allows Unauthorized RCE Via RondoDox Botnet [CVE-2025-24893]
- The queries below can help identify exposed XWiki instances, but they cannot determine whether systems are vulnerable.
FortiWeb Vulnerability Allows Authenticated OS Command Injection [CVE-2025-58034]
- The queries below can identify FortiWeb instances but do not filter by version.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Frigate NVR	Frigate NVR system.	Platform query
software	XWiki	This is an XWiki server.	Platform query
risk	Vulnerable XWiki [CVE-2025-24893]	XWiki Platform is potentially vulnerable to an unauthenticated remote code execution flaw. If the SolrSearch macro is exposed, an unauthenticated attacker can inject a crafted request into the macro to achieve server-side code execution, which would allow full compromise of the XWiki instance.	ASM query: risks.name: `Vulnerable XWiki [CVE-2025-24893]`

Type

Name

Description

Query

software

Frigate NVR

Frigate NVR system.

Platform query

software

XWiki

This is an XWiki server.

Platform query

risk

Vulnerable XWiki [CVE-2025-24893]

XWiki Platform is potentially vulnerable to an unauthenticated remote code execution flaw. If the SolrSearch macro is exposed, an unauthenticated attacker can inject a crafted request into the macro to achieve server-side code execution, which would allow full compromise of the XWiki instance.

ASM query:

risks.name: `Vulnerable XWiki [CVE-2025-24893]`

2 months ago

November 17, 2025

Summary

New AI summary functionality for host assets.

Platform

Use the new Summarize host functionality on host assets in the UI to quickly generate a concise, human-readable summary of the asset using the Censys Assistant.
- This feature is available to Starter and Enterprise users.

2 months ago

November 10, 2025

Summary

New Platform Account Management API endpoints for programmatic organization management and credit monitoring.
New fingerprint for Cisco IOS-XE endpoints.

Platform

Use the Account Management API to programmatically manage your organization and monitor credit consumption. New endpoints are available for the following actions:

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
operating_system	Cisco IOS-XE Endpoints	This is a Cisco IOS-XE operating system.	Platform query
software	Bazarr	Bazarr is a companion application to Sonarr and Radarr that manages and downloads subtitles.	Platform query
software	Lidarr	Lidarr is a music collection manager for Usenet and BitTorrent users.	Platform query

3 months ago

November 3, 2025

Summary

Collections are now available to all Free users.
One new fingerprint for Tesla Wall Connectors and one new ASM risk fingerprint for exposed Apache ZooKeeper services.

Platform

Free users can now create and monitor collections in the Platform web console.

An example collection that finds newly-created certificates for an example domain.
- Collections let you track changes to internet-facing infrastructure to stay proactive about threats and vulnerabilities using a saved Censys query, so you can spend less time searching and more time taking action.
- Free user collections are limited to 100 assets.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
hardware	Wall Connector	This is a Tesla Energy Wall Connector.	Platform query
risk	ZooKeeper Service Exposed	Apache ZooKeeper is a centralized coordination service used for configuration management, naming, distributed synchronization, and group membership in distributed systems. When ZooKeeper is exposed to the Internet or untrusted networks, attackers may be able to read or modify application configuration and state, enumerate cluster topology, or exploit authentication/ACL misconfigurations to escalate privileges. Exposure can lead to data leakage, service disruption, and full compromise of systems that rely on ZooKeeper for critical coordination.	ASM query