June 10, 2025
Platform Query Assistant beta for all users, Platform Threat Hunting module release, general availability for the Platform, two Rapid Response bulletins, several new risk fingerprints, and one new software fingerprint.
Platform
- Quickly generate valid search Censys Query Language (CenQL) queries using natural language input with the new Query Assistant tool in the Platform web UI.
- Query Assistant is a beta feature available to all Platform users.
- Use the Platform Threat Hunting module to detect, analyze, and track threat infrastructure with speed and precision. The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. The Threat Hunting module includes the following:
- The Platform threat dataset that maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties.
- Interactive Explore Threats page that provides a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
- CensEye automated pivoting tool to help you identify web assets on the internet that share a specific key-value pair with an asset of interest to quickly pivot into related infrastructure.
- Live Rescan and Discovery to run fresh scans on specific ports to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans.
- Certificate Timeline that provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.
- The Censys Platform is now generally available to all customers.
Rapid Response
The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.
- ConnectWise ScreenConnect Vulnerability Added to CISA KEV [CVE-2025-3935]
- Use the following queries to find instances of ConnectWise ScreenConnect. Not all of these are necessarily vulnerable, as specific version information may not be available.
- vBulletin Allows Unauthenticated Users to Invoke Protected API Controllers’ Methods to Achieve RCE [CVE-2025-48827-48828]
- Use the following Platform query to find vulnerable vBulletin instances. It requires a Starter or Enterprise plan, as it uses regex.
- Use the following queries to find vBulletin instances. Not all of these are necessarily vulnerable, as version-related information is not targeted using these queries.
New fingerprints
Added the following fingerprints.
Type | Name | Description | Query |
|---|---|---|---|
software | vBulletin | vBulletin is a PHP-based bulletin board software that is used to create and manage online forums. | |
risk | Insecure SNMP Service Exposed | This service is running SNMPv1 or SNMPv2, which transmit community strings in plaintext and lack proper authentication and encryption. Attackers can easily sniff network traffic to determine community strings, enabling man-in-the-middle attacks, replay attacks, and unauthorized access to network device management functions. | ASM query: |
risk | Vulnerable ConnectWise ScreenConnect [CVE-2025-3935] | This is a ConnectWise server is running a version vulnerable to CVE-2025-3935, a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. | ASM query: |
risk | Vulnerable vBulletin [CVE-2025-48827] | vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later | ASM query: |
risk | ASUS Backdoor IOC | This ASUS device has SSH running on the high, ephemeral port TCP/53282, a port that has been linked with a malicious backdoor installed by the AyySSHush botnet. It's recommended to examine this device for the specific attacker-controlled SSH key associated with this botnet. | ASM query: |