Open directory data enhancements and suspicious directory threat, graphical investigation explorer, CensEye enhancements, and more improvements in the Platform; Chrome browser extension, and registrant email domain pivoting in ASM.

Platform

Threat Hunting

• Build node-based pivot trees to discover, visualize, and understand connections between web assets in the Censys datasets using the Investigation Manager in the Platform web UI.
• Use the Suspicious Directory threat to find and track web assets with open directories that contain security tools, penetration testing utilities, webshells, or other potentially malicious files. Use this threat information to find hosts and web services with suspicious files before they are leveraged in attacks.
• Leverage the open directory visual explorer and open directory parsed fields to quickly understand directory information at a glance, including file names, sizes, last modified dates, and directory structure.
• Made several changes to the default CensEye pivot fields for hosts, web properties, and certificates, including:
  • Added TLS fingerprinting fields (JA4S, JA3S, JA4X, JARM) for better network analysis
  • Added SSH, Cobalt Strike, and protocol-specific pivots for threat detection
  • Added HTTP metadata fields (headers, favicons, body hashes) for web analysis
  • Switched favicon hashes from MD5 to SHA256 for improved security
  • Added support for specialized protocols including SCADA, Kubernetes, and SNMP

Chrome browser extension

• Perform IP lookups and full-text searches from within a browser window using the Censys Chrome browser extension.

API

• Added the count_by_level parameter to the aggregate endpoint to allow you to specify which document level's count is returned per term bucket, primarily for nested fields. This is the same functionality available in the Count By dropdown in the Report Builder UI.

ASM

• Added registrant email domain pivoting to the ASM attribution process during seed discovery.
  • If ASM finds the email address [email protected] associated with a domain that belongs to you, it will pivot to find other assets registered to any censys.com email address. If you accept an email domain as a seed, you will see many new registrant emails appear in the seed discovery list.
  • If you have continuous seed discovery enabled, this update may result in more frequent seed discovery emails for newly found email addresses.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• Critical CrushFTP Vulnerability Added to CISA KEV [CVE-2025-54309]
  • Use the following queries to find CrushFTP servers. Not all of these are necessarily vulnerable.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable CrushFTP [CVE-2025-54309]`

Platform MCP Server for AI agents, Platform web service screenshots, and more enhancements.

Platform

• Use the Platform Model Context Protocol (MCP) Server to give your AI agents and workflows secure, governed, and direct access to the entire Censys Internet Map and Platform APIs, empowering you to hunt, triage, and respond at machine speed.
• Visually investigate exposed assets on the Censys Platform with recurring and on-demand web service screenshots.
• Added HTML titles (host.services.endpoints.http.html_title and web.endpoints.http.html_title) to the default pivot fields for CensEye to quickly discover related infrastructure.
• Use the filter_by_query parameter on Platform API aggregate endpoints to limit aggregation results to those that match your query. This functionality is equivalent to the filter checkbox in the Report Builder UI.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

• ToolShell Exploit Enables Unauthenticated SharePoint RCE [CVE-2025-53770]
  • Use the following queries to find SharePoint servers. Not all of these are necessarily vulnerable.
    • Platform query
    • Legacy Search query
    • ASM query
• Pre-Auth SQL Injection Leads to RCE in Fortinet FortiWeb [CVE-2025-25257]
  • Use the following queries to find FortiWeb devices. Not all of these are necessarily vulnerable.
    • Platform query
    • Legacy Search query
    • ASM query

New CensEye API endpoint, Live Rescan for all Enterprise customers, enhancements to Platform AI tool configuration, recent searches in the Platform web UI, and more.

Platform

• Use the CensEye value counts API to obtain counts of web assets for specific field-value pairs and combinations of field-value pairs for rapid research and analysis.
• Added combined HTTP header key and value information to the default pivot fields for CensEye to quickly discover related infrastructure.
• All Enterprise customers now have access to the Live Rescan feature.
• Added the ability to configure AI tool usage and privacy settings at the individual user and organization level.
• Added recent searches to the search bar in the Platform web UI.
• Platform Starter users may now configure their Censys Credits to automatically replenish when they reach a specific amount.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• Unauthenticated RCE in Wing FTP Server [CVE-2025-47812]
  • Use the following queries to identify exposed Wing FTP servers. Not all of these are necessarily vulnerable.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query

New fingerprints

Added the following fingerprints.

risks.name = "Vulnerable Wing FTP Server CVE-2025-47812"

CVE risk rescan and scan data links in ASM, three new software fingerprints, and one new Rapid Response bulletin.

ASM

• Use the ability to rescan CVE risks on host risk cards in the ASM web console to verify that a CVE risk has been closed after completing your or remediation workflows. Use the View Scan Data button to see the scan data for the service.

  

• Added the ability to copy data field names from table header rows in the ASM web console to quickly search your inventory for relevant assets.

  

New fingerprints

Added the following fingerprints.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439]
  • Use the following queries to identify exposed MegaRAC SPx firmware. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query

Five new hardware and software fingerprints and three new risks for ASM.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

• Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439]
  • Use the following queries to identify exposed NetScaler Gateway and ADC instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-6543]`

risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777]`

risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-34509]`

CVE risk exploit context in ASM, two new software fingerprints, and one risk fingerprint.

ASM

• Use new CVE risk exploit context data to help you understand, triage, and remediate risks in your attack surface.
  • New context data includes risk exploit maturity status, threat actor, botnet, and ransomware enrichment, EPSS scores, and CVSSv4 scores.

    

    

  • CVE risk exploit context is available to all ASM Enterprise customers. ASM Advanced customers may purchase access to it.

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable Erlang OTP Instance [CVE-2025-32433]`

Four new fingerprints and two Rapid Response bulletins.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

• Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets
  • Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query
      • This query can be used to find instances of Wazuh server that are vulnerable to the exploit.
• Roundcube Webmail Vulnerable to Authenticated RCE [CVE-2025-49113]
  • Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query
      • This query can be used to find instances of Roundcube Webmail that are vulnerable to the exploit.

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable Wazuh [CVE-2025-24016]`

risks.name: `Vulnerable Roundcube [CVE-2025-49113]`

Platform Query Assistant beta for all users, Platform Threat Hunting module release, general availability for the Platform, two Rapid Response bulletins, several new risk fingerprints, and one new software fingerprint.

Platform

• Quickly generate valid search Censys Query Language (CenQL) queries using natural language input with the new Query Assistant tool in the Platform web UI.
  • Query Assistant is a beta feature available to all Platform users.
• Use the Platform Threat Hunting module to detect, analyze, and track threat infrastructure with speed and precision. The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. The Threat Hunting module includes the following:
  • The Platform threat dataset that maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties.
  • Interactive Explore Threats page that provides a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
  • CensEye automated pivoting tool to help you identify web assets on the internet that share a specific key-value pair with an asset of interest to quickly pivot into related infrastructure.
  • Live Rescan and Discovery to run fresh scans on specific ports to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans.
  • Certificate Timeline that provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.
• The Censys Platform is now generally available to all customers.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

• ConnectWise ScreenConnect Vulnerability Added to CISA KEV [CVE-2025-3935]
  • Use the following queries to find instances of ConnectWise ScreenConnect. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query
• vBulletin Allows Unauthenticated Users to Invoke Protected API Controllers’ Methods to Achieve RCE [CVE-2025-48827-48828]
  • Use the following Platform query to find vulnerable vBulletin instances. It requires a Starter or Enterprise plan, as it uses regex.
    • Platform query
  • Use the following queries to find vBulletin instances. Not all of these are necessarily vulnerable, as version-related information is not targeted using these queries.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query

New fingerprints

Added the following fingerprints.

risks.name: `Insecure SNMP Service Exposed`

risks.name: `Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]`

risks.name: `Vulnerable vBulletin [CVE-2025-48827]`

risks.name: `ASUS Backdoor IOC`

Sort, filter, and search options on the Collections page in the Platform web UI, two Rapid Response bulletins, and two new fingerprints.

Platform

• Added the ability to filter by owner, filter by category, search by name or ID, and sort by creation date, last updated date, or name on the Collections page in the Platform web UI.

  

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

• Ivanti EPMM Chained Exploits Added to CISA KEV [CVE-2025-4427-4428]
  • Use the following queries to find exposed Ivanti EPMM instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query
    • ASM risk query
• Samsung MagicInfo9 Path Traversal Vulnerability Added to CISA KEV [CVE-2025-4632]
  • Use the following queries to find exposed MagicInfo9 instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query

New fingerprints

Added the following fingerprints.

risks.name: `Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]`

Dark mode and CT logs page in the Platform web UI, improved filtering on the ASM Ports & Protocols dashboard, two new Rapid Response bulletins.

Platform

• Added dark mode to the Platform web UI. To switch between light and dark mode, click your profile icon and use the Light Mode / Dark Mode toggle.

  

• Use the new Certificate Transparency (CT) logs page in the Platform web UI to see the logs Censys monitors as well as additional certificate metadata.

  
  • This page always reflects the current state of Censys CT log monitoring.
  • Navigate to the page via the Help menu in the top-right corner of the Platform web console.

ASM

• Added the ability to filter the Ports & Protocols dashboard to a specific port range.

  

• Added a filter option for unknown protocols to the Ports & Protocols dashboard.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

• Synacor Zimbra Collaboration Suite XSS Vulnerability Added to CISA KEV (CVE-2024-27443)
  • Use the following queries to Zimbra Collaboration Suite instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query
• Srimax Output Messenger Directory Traversal Vulnerability Added to CISA KEV (CVE-2025-27920)
  • Use the following queries to find instances of Srimax Output Messenger. Not all of these are necessarily vulnerable, as specific version information may not be available.
    • Platform query
    • Legacy Search query
    • ASM query

New fingerprints

Added the following fingerprints.