5 days ago

December 15, 2025

Summary

New Rapid Response advisory and queries for Ivanti Endpoint Manager Stored XSS Vulnerability [CVE-2025-10573].
New software fingerprints for n8n servers and Apache Tika servers.
New ASM risk fingerprints for Fortinet products vulnerable to CVE-2025-59718 and CVE-2025-59719 and Ivanti Endpoint Manager instances vulnerable to CVE-2025-10573.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Ivanti Endpoint Manager Stored XSS Vulnerability [CVE-2025-10573]
- The following queries can be used to identify exposed Ivanti EPM instances.
  - Platform query
  - Legacy Search query
- The following queries can be used to identify exposed and vulnerable Ivanti EPM instances.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	n8n Server	This is a n8n Server, an open-source workflow automation platform with AI integration.	Platform query
software	Apache Tika	This is an Apache Tika Server, a content analysis toolkit.	Platform query
risk	Vulnerable Ivanti Endpoint Manager [CVE-2025-10573]	This is a service running a version of Ivanti Endpoint Manager vulnerable to CVE-2025-10573, a critical Stored Cross-Site Scripting (XSS) vulnerability that allows a remote unauthenticated attacker to execute JavaScript in the context of an administrator's browser session, potentially leading to session hijacking and unauthorized administrative actions.	ASM query: risks.name: `Vulnerable Ivanti Endpoint Manager [CVE-2025-10573]`
risk	Vulnerable Fortinet Products [CVE-2025-59718, CVE-2025-59719]	This is a Fortinet FortiOS device running a version that is vulnerable to CVE-2025-59718 and CVE-2025-59719, an Improper Verification of Cryptographic Signature vulnerability [CWE-347] that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device.	ASM query: risks.name: `Vulnerable Fortinet Products [CVE-2025-59718, CVE-2025-59719]`

12 days ago

December 8, 2025

Summary

Use aliased fields in the Platform to search across multiple fields at once and quickly find relevant assets.
New Rapid Response advisories and queries for:
New software fingerprints for Waku, pgAdmin4, and Ferron web servers.
New ASM risk fingerprints for React2Shell and pgAdmin4 CVE-2025-12762.

Platform

Some fields are now grouped into aliases to make it easier to search across multiple fields at once. Aliases can be used in the Platform web UI or API. The complete list of aliases and their mapped fields is available in the documentation.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

Unauthenticated RCE Flaw in React Server Components [CVE-2025-55182]
- The following queries can be used to identify exposed React Server components.
Critical XXE Injection Bug in Apache Tika [CVE-2025-66516]
- The queries below can identify potentially vulnerable Tika instances.
pgAdmin4 Allows RCE via PLAIN-format Dump File Restore [CVE-2025-12762]
- The queries below can help identify potentially vulnerable pgAdmin4 instances.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Waku	This is a Waku instance.	Platform query
software	pgAdmin 4	This is a pgAdmin 4 instance, a web-based administration tool for PostgreSQL.	Platform query
software	Ferron Web Server	This is a Ferron web server.	Platform query
risk	React2Shell: Unauthenticated RCE in React Server Components [CVE-2025-55182]	This is a critical unauthenticated Remote Code Execution (RCE) flaw, dubbed "React2Shell" caused by insecure deserialization within the Flight protocol used by React Server Components. This risk broadly identifies exposed web services using RSC, but doesn't confirm vulnerability since versions are not available. Users must verify which package versions are running in their environments.	ASM query: risks.name: `React2Shell: Unauthenticated RCE in React Server Components [CVE-2025-55182]`
risk	Vulnerable pgAdmin 4 [CVE-2025-12762]	This pgAdmin 4 server is running a version 9.9 or earlier that is vulnerable to CVE-2025-12762, a remote code execution (RCE) vulnerability. When restoring PLAIN-format dump files, an attacker can inject and execute arbitrary commands on the host, potentially leading to full system compromise of the pgAdmin host and downstream database environment.	ASM query: risks.name: `Vulnerable pgAdmin 4 [CVE-2025-12762]`

26 days ago

November 24, 2025

Summary

Added the ability to secure your Platform account with multi-factor authentication. Organization admins can enforce MFA for all members of their organization.
Use weekly collection digest emails to track changes to your saved Platform queries over time.
Two Rapid Response advisories for XWiki and FortiWeb issues.
Added fingerprints for Frigate NVR and XWiki and an ASM risk fingerprint for XWiki instances vulnerable to CVE-2025-24893.

Platform

You can now add another layer of security to your Platform account with multi-factor authentication (MFA) using an authenticator app.
- Configure your personal MFA settings in Settings > Account Management > Personal Settings > Security.
- Organization admins can configure MFA enforcement for their organization in Settings > Account Management > Organization Settings > Security.
Use collection email notifications to receive weekly messages about updates to your collections. Emails are sent to the email address associated with your user account.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

XWiki Platform Allows Unauthorized RCE Via RondoDox Botnet [CVE-2025-24893]
- The queries below can help identify exposed XWiki instances, but they cannot determine whether systems are vulnerable.
FortiWeb Vulnerability Allows Authenticated OS Command Injection [CVE-2025-58034]
- The queries below can identify FortiWeb instances but do not filter by version.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Frigate NVR	Frigate NVR system.	Platform query
software	XWiki	This is an XWiki server.	Platform query
risk	Vulnerable XWiki [CVE-2025-24893]	XWiki Platform is potentially vulnerable to an unauthenticated remote code execution flaw. If the SolrSearch macro is exposed, an unauthenticated attacker can inject a crafted request into the macro to achieve server-side code execution, which would allow full compromise of the XWiki instance.	ASM query: risks.name: `Vulnerable XWiki [CVE-2025-24893]`

Type

Name

Description

Query

software

Frigate NVR

Frigate NVR system.

Platform query

software

XWiki

This is an XWiki server.

Platform query

risk

Vulnerable XWiki [CVE-2025-24893]

XWiki Platform is potentially vulnerable to an unauthenticated remote code execution flaw. If the SolrSearch macro is exposed, an unauthenticated attacker can inject a crafted request into the macro to achieve server-side code execution, which would allow full compromise of the XWiki instance.

ASM query:

risks.name: `Vulnerable XWiki [CVE-2025-24893]`

about 1 month ago

November 17, 2025

Summary

New AI summary functionality for host assets.

Platform

Use the new Summarize host functionality on host assets in the UI to quickly generate a concise, human-readable summary of the asset using the Censys Assistant.
- This feature is available to Starter and Enterprise users.

about 1 month ago

November 10, 2025

Summary

New Platform Account Management API endpoints for programmatic organization management and credit monitoring.
New fingerprint for Cisco IOS-XE endpoints.

Platform

Use the Account Management API to programmatically manage your organization and monitor credit consumption. New endpoints are available for the following actions:

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
operating_system	Cisco IOS-XE Endpoints	This is a Cisco IOS-XE operating system.	Platform query
software	Bazarr	Bazarr is a companion application to Sonarr and Radarr that manages and downloads subtitles.	Platform query
software	Lidarr	Lidarr is a music collection manager for Usenet and BitTorrent users.	Platform query

about 2 months ago

November 3, 2025

Summary

Collections are now available to all Free users.
One new fingerprint for Tesla Wall Connectors and one new ASM risk fingerprint for exposed Apache ZooKeeper services.

Platform

Free users can now create and monitor collections in the Platform web console.

An example collection that finds newly-created certificates for an example domain.
- Collections let you track changes to internet-facing infrastructure to stay proactive about threats and vulnerabilities using a saved Censys query, so you can spend less time searching and more time taking action.
- Free user collections are limited to 100 assets.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
hardware	Wall Connector	This is a Tesla Energy Wall Connector.	Platform query
risk	ZooKeeper Service Exposed	Apache ZooKeeper is a centralized coordination service used for configuration management, naming, distributed synchronization, and group membership in distributed systems. When ZooKeeper is exposed to the Internet or untrusted networks, attackers may be able to read or modify application configuration and state, enumerate cluster topology, or exploit authentication/ACL misconfigurations to escalate privileges. Exposure can lead to data leakage, service disruption, and full compromise of systems that rely on ZooKeeper for critical coordination.	ASM query

about 2 months ago

October 27, 2025

Summary

Four risks for exposed Watchguard Firewalls, WDBRPC services, atvremote devices, and KVM devices are now enabled for ASM customers.
One new ASM risk fingerprint for BIND 9 resolvers vulnerable to CVE-2025-40778 and one Rapid Response bulletin for this vulnerability.

ASM

The following risks have now been enabled by default for all ASM customers.

Exposed Watchguard Firewall
WDBRPC Service Exposed
Exposed atvremote Device
Exposed KVM

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

BIND 9 Resolver Enables Cache Poisoning Via Unsolicited Answers [CVE-2025-40778]
- The queries below can identify vulnerable BIND 9 resolvers.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
risk	Vulnerable ISC Bind9 [CVE-2025-40778]	This service is running a vulnerable version of ISC Bind9. An attacker may exploit a flaw in DNS response processing that allows cache poisoning via unsolicited answer records, enabling redirection of downstream clients.	ASM query

An RSS feed for Censys release notes is available here.

2 months ago

October 20, 2025

Summary

Rapid Response advisory and queries for exposed F5 BIG-IP products affected by recent nation-state breach.
Threat data now visible for Platform Enterprise customers.
One new fingerprint for Interactsh servers.

Platform

Some threat data for hosts and web properties is now viewable by all users on Enterprise accounts.

An example search result for a host showing that an AsyncRAT threat is present.

The following fields can be seen in the Platform web console and retrieved via API, but may not be searched for or pivoted across unless you also have access to the Threat Hunting module.

Data field	Description
`*.threats.id`	A unique identifier for the threat.
`*.threats.name`	Name of the threat, such as `Cobalt Strike`.
`*.threats.tactic`	How the threat behaves and the purpose of the activity, such as `COMMAND_AND_CONTROL` and `PERSISTENCE`.
`*.threats.type`	The role of the service, such as `PHISHING_SERVER` and `WEBSHELL`.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Nation-State Breach of F5 Networks — Exposure of BIG-IP Source Code & Undisclosed Vulnerabilities
- The queries below can identify F5 BIG-IP instances, but they cannot determine whether systems are vulnerable.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software	Interactsh Server	This is an Interactsh server. Interactsh is an OOB interaction gathering server and client library.	Platform query

2 months ago

October 13, 2025

Summary

New cencli command line tool to bring Platform features and data to your terminal.
Censys Assistant in the Platform web console for rapid investigations using natural language input.
Support for integrating the Censys ASM MCP Server with Microsoft Copilot Studio.
New fingerprints for Ivanti Endpoint Manager, Oracle Cloud Infrastructure Load Balancer, and Oracle Traffic Director.
One new ASM risk fingerprint for Redis servers vulnerable to CVE-2025-49844.

Platform

The cencli command line tool enables you to run search queries, look up assets, perform aggregations, and more from your terminal window.
- cencli can be used by all registered Platform users.
Use the Censys Assistant AI tool in the Platform web console to input questions in a natural language and obtain answers based on the assets and data present in the Censys Internet Map.
- The Censys Assistant is available to all Starter and Enterprise users.

ASM

Integrate the Censys ASM MCP Server with Microsoft Copilot Studio to seamlessly incorporate Censys ASM functionality with your AI tools.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

Pre-Auth RCE Chain in Oracle E-Business Suite Software [CVE-2025-61882]
- The queries below can help identify Oracle E-Business Suite instances, but they cannot determine whether systems are vulnerable.
13 Unpatched Zero-Days in Ivanti Endpoint Manager Enabling RCE
- The following queries can help identify exposed Ivanti Endpoint Manager / LANDesk instances, but they are not necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Redis Server [CVE-2025-49844] - RediShell	This Redis service may be vulnerable to CVE-2025-49844 (RediShell), a critical Use-After-Free vulnerability that allows an authenticated attacker to execute arbitrary code by sending a specially crafted Lua script. The vulnerability affects all Redis versions with Lua scripting support (versions 8.2.1 and below) and has existed in the codebase for approximately 13 years.	ASM query: risks.name: `Vulnerable Redis Server [CVE-2025-49844] - RediShell`
software	Ivanti Endpoint Manager	This is Ivanti Endpoint Manager (formerly LANDESK Management Suite), an enterprise endpoint management solution for unified IT operations.	Platform query
software	Oracle Cloud Infrastructure Load Balancer	This is an Oracle Cloud Infrastructure (OCI) Load Balancer. An OCI Load Balancer provides automated traffic distribution from one entry point to multiple servers in a set.	Platform query
software	Oracle Traffic Director	This is an Oracle Traffic Director. Oracle Traffic Director is a layer-7 software load balancer.	Platform query

3 months ago

October 6, 2025

Summary

New Insights experience in ASM to help you understand key data points about your attack surface.
Unauthenticated access to Platform for easy browsing.
New software fingerprints for RustDesk Console, Progress Chef Automate, and ligolo-ng.
A new risk for exposed KVM devices for ASM.

ASM

Use Insights in ASM to stay on top of key security initiatives like software compliance and vulnerability management.
- Insights organizes and presents key data points about your attack surface, like the state of your inventory's software and services, in an understandable and easily actionable format.
- The Insights search bar provides several pre-formatted prompts to help you investigate your inventory and learn how to build useful ASM queries.
- Insights is available to all ASM users.

Platform

Added the ability to use the Platform without logging in to an account. Use this functionality to look up assets, perform searches, and view shared Platform links.
- Unauthenticated users can perform a maximum of five actions before they must log in.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Exposed KVM	These devices provide keyboard, video, and mouse (KVM) over IP and are used for remote server access.	ASM risk query: risks.name: `Exposed KVM`
software	RustDesk Console	RustDesk Console is a self-hosted management interface for RustDesk remote desktop sessions.	Platform query
software	ligolo-ng	ligolo-ng is a reverse tunneling and proxy tool for pentesters.	Platform query
software	Progress Chef Automate	Progress Chef Automate is a centralized compliance and infrastructure automation platform for Chef configurations across environments.	Platform query