3 months ago

September 29, 2025

Summary

New twist function for Platform search queries.
Added matched services for search results in the Platform UI and API.
New fingerprints for popular KVM products and Ollama.
One Rapid Response bulletin for an RCE in Cisco IOS and IOS XE software.

Platform

Use the new twist function in your Platform queries to find field values that are similar to a specified value.
- You can use the twist function to find typosquatted domains or domains attempting to impersonate a valid domain by omitting known domains from your query. For example, the following query will find web properties that use names similar to censys.io but will omit results that include censys.io.
```
* * twist(web.hostname, 'censys.io') and not web.hostname:'censys.io'
```
Use matched services in the UI and API to rapidly find host services that contain data that match your search criteria.
- Matched services in the UI are shown in the Matched Fields section. Click the service icon to navigate directly to the service card on the host.
- Matched services in the API are returned in a matched_services object for each host that contains matching data.
```
          "matched_services": [
            {
              "protocol": "HTTP",
              "port": 18083,
              "transport_protocol": "tcp"
            }
          ]
```
The Share link action was moved to the Search Actions menu next to the search bar in the Platform web UI. Use this to generate share links for assets, search query results, and more.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

SNMP RCE in Cisco IOS and IOS XE Software [CVE‑2025‑20352]
- The queries below can help identify any affected Cisco devices exposing SNMP, but they are not necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Query
software	NanoKVM	Platform query
software	TinyPilot KVM	Platform query
software	JetKVM	Platform query
software	PiKVM	Platform query
software	BliKVM	Platform query
software	EJOIN SMS Gateway/SimBox	Platform query
software	Ollama AI Model Hosting Platform	Platform query
software	Palo Alto Networks Cortex XSOAR EDL Service	Platform query

3 months ago

September 22, 2025

Summary

Platform

API

Platform lookup API endpoints may now be used by Free users.
- Lookup endpoints cost 1 credit per asset retrieved, which is the same cost to look up assets in the Platform web UI.
- Free users can create Personal Access Tokens in the Platform web UI to execute API calls.
- The lookup endpoints no longer require an organization ID to be executed.
  - If you have access to a Starter or Enterprise organization ID and do not include it in your lookup API call, then the cost is deducted from your Free credit balance. Additionally, the endpoint will only return data that is available to Free users.
- Free users have access to the following API endpoints:

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]	This service is running a version of GoAnywhere Managed File Transfer software vulnerable to a deserialization vulnerability that could lead to remote code execution.	ASM risk query: risks.name: `GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]`
risk	Exposed atvremote Device	This device is running atvremote, a tool used to control TV devices over the network. It communicates with services such as AirPlay, Media Remote Protocol (MRP), and Companion API, which are designed for local network use only and should not be exposed to the public internet. If left accessible, attackers could gain unauthorized control of the TV or compromise the device as part of a botnet.	ASM risk query: risks.name: `Exposed atvremote Device`
software	atvremote	This is an atvremote server.	Platform query

Type

Name

Description

Query

risk

GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]

This service is running a version of GoAnywhere Managed File Transfer software vulnerable to a deserialization vulnerability that could lead to remote code execution.

ASM risk query:

risks.name: `GoAnywhere MFT Deserialization Vulnerability [CVE-2025-10035]`

risk

Exposed atvremote Device

This device is running atvremote, a tool used to control TV devices over the network. It communicates with services such as AirPlay, Media Remote Protocol (MRP), and Companion API, which are designed for local network use only and should not be exposed to the public internet. If left accessible, attackers could gain unauthorized control of the TV or compromise the device as part of a botnet.

ASM risk query:

risks.name: `Exposed atvremote Device`

software

atvremote

This is an atvremote server.

Platform query

3 months ago

September 15, 2025

Summary

New Threat Hunting MCP Server to give your AI agents access to Censys Threat Hunting APIs, empowering you to find and investigate potential threats at machine speed.
Two new scanners for Crestron over IP and MikroTik WinBox.
New SAP NetWeaver AS Java and Sitecore Experience Platform risk fingerprints for ASM.

Platform

Threat Hunting Module

Use the Threat Hunting Model Context Protocol (MCP) Server to give your AI agents access to Censys Threat Hunting APIs, empowering you to find and investigate potential threats at machine speed.

New protocol and application scanners

Added scanners for the following services.

Protocol/application	Query
`CRESTRON_OVER_IP`	Platform query
`MIKROTIK_WINBOX`	Platform query

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]	SAP NetWeaver AS Java (Deploy Web Service component), versions under J2EE-APPS 7.50, is vulnerable to an insecure file operations issue. The flaw allows an attacker with non-administrative authenticated access to upload arbitrary files through the deployment web service. Once an uploaded file is executed, the attacker may achieve full system compromise.	ASM risk query: risks.name: `Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]`
risk	Vulnerable Sitecore Experience Platform [CVE-2025-53690]	Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions through 9.0.2 are affected by a critical deserialization vulnerability tracked as CVE-2025-53690. This vulnerability allows remote attackers to inject arbitrary code through deserialization of untrusted data, potentially leading to remote code execution.	ASM risk query: risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-53690]`

Type

Name

Description

Query

risk

Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]

SAP NetWeaver AS Java (Deploy Web Service component), versions under J2EE-APPS 7.50, is vulnerable to an insecure file operations issue. The flaw allows an attacker with non-administrative authenticated access to upload arbitrary files through the deployment web service. Once an uploaded file is executed, the attacker may achieve full system compromise.

ASM risk query:

risks.name: `Vulnerable SAP NetWeaver AS Java [CVE-2025-42922]`

risk

Vulnerable Sitecore Experience Platform [CVE-2025-53690]

Sitecore Experience Manager (XM) and Sitecore Experience Platform (XP) versions through 9.0.2 are affected by a critical deserialization vulnerability tracked as CVE-2025-53690. This vulnerability allows remote attackers to inject arbitrary code through deserialization of untrusted data, potentially leading to remote code execution.

ASM risk query:

risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-53690]`

3 months ago

September 8, 2025

Summary

Added the ability to log in to the Platform using Google.
One new fingerprint for Cisco Secure Firewall Management Center.

Platform

Added the ability to log in to the Platform using Google.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software	Cisco Secure Firewall Management Center	This is a Cisco Secure Firewall Management Center.	Platform query

4 months ago

September 2, 2025

Summary

Cloud CDN Identification for ASM to map CDN presence in your attack surface.
One new ASM risk for Citrix Netscaler.

ASM

Use Cloud CDN Identification with ASM Cloud Connectors to understand CDN presence in your attack surface.
- Cloud CDN Identification finds Azure Front Door CDN and AWS CloudFront software and reports it in the software data provided for host services and web entity instances. You can search for these Cloud CDNs in your inventory by performing a full-text search for the applicable service (such as "CloudFront" or "Front Door") or by searching for the product name in host.services.software.product or web_entity.instances.software.product.
- All newly set up Azure and AWS Cloud Connectors will ingest cloud CDN information by default. Customers with existing Azure and AWS Cloud Connector configurations need to manually update their Cloud Connectors to begin ingesting this data. To update your Cloud Connector to ingest Cloud CDN data:
  1. In the ASM web console, go to Integrations, find your Cloud Connector integration, and click Manage.
  2. In the configuration panel, click Edit Configuration, then click Next Step. Click Next Step again.
  3. Click Close. Your Cloud Connector is now updated.

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
risk	Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]	This device is vulnerable to multiple critical CVEs: CVE-2025-7775 (memory overflow leading to pre-authentication remote code execution and DoS), CVE-2025-7776 (memory overflow causing unpredictable behavior and DoS), and CVE-2025-8424 (improper access control on management interface). These vulnerabilities have been actively exploited in the wild since June 2025.	ASM query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]`

Type

Name

Description

Query

risk

Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]

This device is vulnerable to multiple critical CVEs: CVE-2025-7775 (memory overflow leading to pre-authentication remote code execution and DoS), CVE-2025-7776 (memory overflow causing unpredictable behavior and DoS), and CVE-2025-8424 (improper access control on management interface). These vulnerabilities have been actively exploited in the wild since June 2025.

ASM query:

risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-7775, CVE-2025-7776, CVE-2025-8424]`

4 months ago

August 25, 2025

Summary

New historical hosts for a certificate API endpoint.
Several enhancements for the Investigation Manager to make it easier to create, navigate, and pivot from investigations.
A new fingerprint for N-able N-central.
Two new risks for ASM.

Platform

Threat Hunting

Use the get host history for a certificate API to retrieve the historical observations of hosts associated with a certificate. This is useful for threat hunting, detection engineering, and timeline generation.

Investigation Manager

Added the ability to create investigations directly from host, certificate, web property, and collection pages.
Added an asset node details card for hosts that includes geographic location, labels, reverse and forward DNS, service ports and protocols, and more contextual data. This card appears when you click on host nodes in the investigation manager UI.
Added a minimap to the bottom right corner of the investigation UI to make it easier to navigate your investigations.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Plex Warns Users to Patch Security Vulnerability in Plex Media Server
- Use the following queries to find Plex Media Server login portals. Not all of these are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	WDBRPC Service Exposed	This service is running WDBRPC (VxWorks WDB Remote Proceudre Call), a debugging protocol used by VxWorks real-time operating systems. WDB enables remote debugging, memory access, and system control of embedded devices. Exposure allows attackers to read/write system memory, execute arbitrary code, access sensitive data, or completely compromise the embedded system.	ASM query: risks.name: `WDBRPC Service Exposed`
risk	Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]	This is a service running a version of N-able N-central that is vulnerable to CVE-2025-8875 and CVE-2025-8876.	ASM query: risks.name: `Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]`
software	N-able N-central	This is an N-able N-central Remote Monitoring & Management solution.	Platform query

Type

Name

Description

Query

risk

WDBRPC Service Exposed

This service is running WDBRPC (VxWorks WDB Remote Proceudre Call), a debugging protocol used by VxWorks real-time operating systems. WDB enables remote debugging, memory access, and system control of embedded devices. Exposure allows attackers to read/write system memory, execute arbitrary code, access sensitive data, or completely compromise the embedded system.

ASM query:

risks.name: `WDBRPC Service Exposed`

risk

Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]

This is a service running a version of N-able N-central that is vulnerable to CVE-2025-8875 and CVE-2025-8876.

ASM query:

risks.name: `Vulnerable N-able N-central [CVE-2025-8875 & CVE-2025-8876]`

software

N-able N-central

This is an N-able N-central Remote Monitoring & Management solution.

Platform query

4 months ago

August 18, 2025

Summary

New MCP server for ASM.
New Platform scan and query converter APIs.
One new fingerprint for Wavlink routers.
Learn more about these updates here.

ASM

Use the ASM Model Context Protocol (MCP) Server to give your AI agents and workflows secure, governed, and direct access to your ASM inventory, empowering you to explore and understand your attack surface at machine speed.

Platform

API

Added new API endpoints for Live Rescan, Live Discovery, and retrieving scan status.
Added a new API endpoint for converting Legacy Search queries into Platform queries.

Bug fixes

Fixed an issue that caused some large number values, such as Cobalt Strike watermarks, to display in scientific notation.

New protocols and application scanners

Added support for the following protocols and applications.

Protocol/application	Query
`ASTERISK_MANAGER_INTERFACE`	Platform query
`ODETTE_FTP`	Platform query
`OPENVPN_MGMT`	Platform query

New fingerprints

Added the following fingerprint.

Type	Name	Description	Query
software/hardware	Wavlink Router	This is a Wavlink Router.	Platform query

4 months ago

ASM: WHOIS to RDAP Migration

Beginning August 21, 2025, ICANN will require registrars to deactivate WHOIS in favor of RDAP (Registration Data Access Protocol). Censys Attack Surface Management (ASM) currently uses WHOIS data for attribution purposes.

The registration data provider used for ASM's attribution process supports RDAP, but expects disruptions after August 21, 2025. Censys has mitigations in place to minimize the issues that may occur as a result of this change. Additionally, Censys' attribution process supports RDAP for asset discovery.

This document provides additional context about this issue and Censys' plan to navigate the switch from WHOIS to RDAP.

Background and ASM context

WHOIS is a protocol that is used for collecting domain and CIDR registration data. It has been the internet standard for several decades, but ICANN has announced the EOL of WHOIS in favor of RDAP, a more modern registration data protocol.

On January 28, 2025, domain registrars were no longer required by ICANN to support WHOIS. Beginning August 21, 2025, registrars are required to stop supporting WHOIS in favor of RDAP.

ASM uses WHOIS registration information for its attribution, specifically for domain and CIDR discovery. These domains and CIDRs are then used to attribute assets to each workspace.

To date, only 13% of domains have been migrated to RDAP, so extensions are likely beyond August 21, 2025. However, customers may experience disruption to WHOIS data after this date.

Mitigation plan

Censys is in constant contact with its WHOIS and RDAP data provider to minimize data loss.

Censys' WHOIS data provider has updated their API to automatically check for RDAP if WHOIS returns no data. In addition, Censys will pull RDAP data after August 21, 2025.

If both WHOIS and RDAP return no data for valid, non-expired domains with existing registrant information, Censys plans to cache the domains until data is returned.

4 months ago

August 11, 2025

Download search results for Core and Enterprise Platform users, new Platform API endpoints for retrieving certificates in PEM format, new fingerprints for Papercut print servers and Oracle E-Business Suite, two new risks for ASM, and one Rapid Response bulletin on a flaw affecting Microsoft Exchange hybrid deployments.

Platform

Core and Enterprise users can now download search results in CSV format in the Platform UI.
- Each page of results must be downloaded separately.
- Each CSV file can contain a maximum of 100 results.

API

Added two new API endpoints to retrieve a single certificate or multiple certificates in PEM format.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

High-Severity Flaw Affecting Microsoft Exchange Hybrid Deployments [CVE-2025-53786]
- Use the following queries to find Exchange servers that may or may not have an OWA portal present. Not all of these are necessarily vulnerable. Read the blog for more information about finding OWA portals and hosts with Exchange servers and OWA portals on the same device.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Exchange Server [CVE-2025-53786]	The Microsoft Exchange application is running a version that is potentially vulnerable to CVE-2025-53786, which allows privilege escalation on on-premises Exchange Servers configured as hybrid deployments.	ASM risk query: risks.name: `Vulnerable Exchange Server [CVE-2025-53786]`
risk	Vulnerable Papercut Print Server CVE-2023-2533	This Papercut MF/NG Print Server is vulnerable to CVE-2023-2533, a CSRF vulnerability that could potentially allow an attacker to alter security settings or execute arbitrary code. This can be only be exploited if the target is an admin with a current login session, and often times requires the user to click a specially crafted malicious link. Versions < 20.1.8, 21.0.0 - 21.2.11, and 22.0.0 - 22.1.0 are affected.	ASM risk query: risks.name: `Vulnerable Papercut Print Server CVE-2023-2533`
software	Oracle E-Business Suite	Oracle E-Business Suite is an integrated set of business applications that helps enterprises manage core functions like finance, supply chain, human resources, and customer relationship management.	Platform query
software	Papercut NG Print Server	Papercut NG is a print management system.	Platform query
software	Papercut MF Print Server	Papercut MF is a print management system.	Platform query

5 months ago

August 4, 2025

Query Assistant improvements in the Platform and seventeen risks enabled for ASM, including numerous service exposures like WINRM and DCERPC.

Platform

You no longer need to click the generate button to convert natural language input into a Censys Query Language query using the Query Assistant. Instead, the query assistant now automatically converts natural language after you enter it.

ASM

The following risks are now enabled for all ASM customers.

Risk name	Description	Severity
ATG (Automatic Tank Gauging) Service Exposed	This service is running Automatic Tank Gauging (ATG) protocol used for monitoring fuel tanks and fluid levels in critical infrastructure. ATG systems control fuel distribution, inventory management, and leak detection systems. Exposure allows attackers to manipulate fuel readings, cause environmental damage, or disrupt operations.	Critical
OPC UA Service Exposed	This service is running OPC Unified Architecture (OPC UA), a critical industrial communication protocol used for data exchange between industrial equipment, SCADA systems, and manufacturing execution systems. Exposed OPC UA servers allow attackers to read sensitive operational data, modify control parameters, or disrupt industrial processes.	Critical
GE SRTP Service Exposed	This service is running GE SRTP (General Electric Service Request Transport Protocol), used for communication with GE industrial control systems, PLCs, and automation equipment. GE SRTP enables configuration, monitoring, and control of critical infrastructure equipment. Exposure allows attackers to access control systems, modify operational parameters, or cause equipment failures.	Critical
PCWORX Service Exposed	This service is running PCWORX protocol, used by Phoenix Contact PLCs and industrial automation systems. PCWORX enables programming, configuration, and real-time communication with industrial controllers in manufacturing, building automation, and process control applications. Exposure allows attackers to read/write PLC programs, modify control logic, or disrupt automated processes.	Critical
IEC 60870-5-104 Service Exposed	This service is running IEC 60870-5-104, a critical power system communication protocol used for telecontrol and SCADA in electrical power systems. This protocol controls power generation, transmission, and distribution infrastructure. Exposure allows attackers to manipulate power grid operations, cause blackouts, or damage electrical equipment.	Critical
MMS (Manufacturing Message Specification) Service Exposed	This service is running Manufacturing Message Specification (MMS), an ISO standard for real-time communication in industrial automation systems. MMS enables communication between SCADA systems, DCS controllers, and manufacturing equipment. Exposure allows attackers to read critical process data, modify control parameters, or disrupt manufacturing operations.	High
HART Service Exposed	This service is running HART (Highway Addressable Remote Transducer) protocol, used for communication with smart field devices in process automation. HART enables digital communication with sensors, transmitters, and actuators in chemical plants, refineries, and other industrial facilities. Exposure allows attackers to read process measurements, modify device configurations, or disrupt critical control loops.	High
UBIQUITI Service Exposed	This service is designed for Ubiquiti device management and configuration. Ubiquiti devices often have default credentials and known vulnerabilities, making them attractive targets for attackers seeking to gain network access or use devices in botnet attacks.	High
NETIS Service Exposed	This service is running the NETIS router configuration protocol. NETIS routers have a well-known backdoor vulnerability (CVE-2014-2321) that allows unauthenticated remote access via UDP port 53413. This backdoor has been widely exploited by malware and botnets for gaining network access and launching attacks.	Critical
SSDP Service Exposed	This service is running the Simple Service Discovery Protocol (SSDP), which is part of the UPnP protocol suite. SSDP is a major vector for DDoS amplification attacks with amplification factors up to 30x. It also exposes detailed device information that can be used for network reconnaissance and targeted attacks.	High
WS-Discovery Service Exposed	This service is running Microsoft's Web Services Dynamic Discovery (WS-Discovery) protocol used for device and service discovery on networks. When exposed to the Internet, it can be abused for DDoS amplification attacks and allows attackers to gather detailed information about internal network devices and services.	Medium
TP-Link Kasa Service Exposed	This service is running TP-Link Kasa smart home device management protocol. Exposed Kasa devices allow unauthorized users to control smart plugs, lights, cameras, and other IoT devices, potentially enabling privacy invasion, device manipulation, or using devices as entry points for further network attacks.	Medium
Chromecast Service Exposed	This service is designed for Google Chromecast streaming and control functionality. Exposed Chromecast devices can allow unauthorized users to hijack media streaming, play unwanted content, or use the device as an entry point for network reconnaissance and attacks.	Medium
Yahoo Smart TV Service Exposed	This service is designed for Yahoo Smart TV functionality and remote control capabilities. Exposed Smart TV services can be targets for unauthorized access, privacy invasion through camera/microphone access, or incorporation into IoT botnets for DDoS attacks.	Medium
IOTA Service Exposed	This service is part of the IOTA distributed ledger technology ecosystem. Exposed IOTA nodes can be targets for cryptocurrency-related attacks, DDoS amplification, or exploitation of node software vulnerabilities.	Medium
DCERPC Service Exposed	The Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol is used by many Windows services for remote management, authentication, and service control. It operates by default over port 135/TCP. Exposure of DCERPC services to the internet can allow attackers to enumerate available services, exploit unpatched vulnerabilities, and potentially execute remote code. DCERPC should never be exposed directly to the internet without strict access controls.	High
WINRM Service Exposed	Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers.	High