5 months ago

June 16, 2025

Four new fingerprints and two Rapid Response bulletins.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets
- Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit.
  - Platform query
  - Legacy Search query
  - ASM query
  - ASM risk query
    - This query can be used to find instances of Wazuh server that are vulnerable to the exploit.
Roundcube Webmail Vulnerable to Authenticated RCE [CVE-2025-49113]
- Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin.
  - Platform query
  - Legacy Search query
  - ASM query
  - ASM risk query
    - This query can be used to find instances of Roundcube Webmail that are vulnerable to the exploit.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Synology VPN Plus Server	This is a Synology VPN Plus Server.	Platform query
software	3CX Web Client	The 3CX Web Client is a browser-based application that provides users with tools for communication and collaboration, including call management, video conferencing, live chat, and integration with messaging platforms such as WhatsApp, Facebook, and SMS/MMS.	Platform query
risk	Vulnerable Wazuh [CVE-2025-24016]	An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.	ASM query: risks.name: `Vulnerable Wazuh [CVE-2025-24016]`
risk	Vulnerable Roundcube [CVE-2025-49113]	This is a Roundcube server running a version of Roundcube that is vulnerable to CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.	ASM query: risks.name: `Vulnerable Roundcube [CVE-2025-49113]`

5 months ago

June 10, 2025

Platform Query Assistant beta for all users, Platform Threat Hunting module release, general availability for the Platform, two Rapid Response bulletins, several new risk fingerprints, and one new software fingerprint.

Platform

Quickly generate valid search Censys Query Language (CenQL) queries using natural language input with the new Query Assistant tool in the Platform web UI.
- Query Assistant is a beta feature available to all Platform users.
Use the Platform Threat Hunting module to detect, analyze, and track threat infrastructure with speed and precision. The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. The Threat Hunting module includes the following:
- The Platform threat dataset that maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties.
- Interactive Explore Threats page that provides a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
- CensEye automated pivoting tool to help you identify web assets on the internet that share a specific key-value pair with an asset of interest to quickly pivot into related infrastructure.
- Live Rescan and Discovery to run fresh scans on specific ports to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans.
- Certificate Timeline that provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.
The Censys Platform is now generally available to all customers.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

ConnectWise ScreenConnect Vulnerability Added to CISA KEV [CVE-2025-3935]
- Use the following queries to find instances of ConnectWise ScreenConnect. Not all of these are necessarily vulnerable, as specific version information may not be available.
vBulletin Allows Unauthenticated Users to Invoke Protected API Controllers’ Methods to Achieve RCE [CVE-2025-48827-48828]
- Use the following Platform query to find vulnerable vBulletin instances. It requires a Starter or Enterprise plan, as it uses regex.
  - Platform query
- Use the following queries to find vBulletin instances. Not all of these are necessarily vulnerable, as version-related information is not targeted using these queries.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	vBulletin	vBulletin is a PHP-based bulletin board software that is used to create and manage online forums.	Platform query
risk	Insecure SNMP Service Exposed	This service is running SNMPv1 or SNMPv2, which transmit community strings in plaintext and lack proper authentication and encryption. Attackers can easily sniff network traffic to determine community strings, enabling man-in-the-middle attacks, replay attacks, and unauthorized access to network device management functions.	ASM query: risks.name: `Insecure SNMP Service Exposed`
risk	Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]	This is a ConnectWise server is running a version vulnerable to CVE-2025-3935, a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.	ASM query: risks.name: `Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]`
risk	Vulnerable vBulletin [CVE-2025-48827]	vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later	ASM query: risks.name: `Vulnerable vBulletin [CVE-2025-48827]`
risk	ASUS Backdoor IOC	This ASUS device has SSH running on the high, ephemeral port TCP/53282, a port that has been linked with a malicious backdoor installed by the AyySSHush botnet. It's recommended to examine this device for the specific attacker-controlled SSH key associated with this botnet.	ASM query: risks.name: `ASUS Backdoor IOC`

5 months ago

June 2, 2025

Sort, filter, and search options on the Collections page in the Platform web UI, two Rapid Response bulletins, and two new fingerprints.

Platform

Added the ability to filter by owner, filter by category, search by name or ID, and sort by creation date, last updated date, or name on the Collections page in the Platform web UI.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Ivanti EPMM Chained Exploits Added to CISA KEV [CVE-2025-4427-4428]
- Use the following queries to find exposed Ivanti EPMM instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
Samsung MagicInfo9 Path Traversal Vulnerability Added to CISA KEV [CVE-2025-4632]
- Use the following queries to find exposed MagicInfo9 instances. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Samsung MagicInfo 9 Server	This is a Samsung MagicInfo server. Samsung's MagicINFO is a comprehensive digital signage software solution that enables businesses to create, publish, and manage content across various display networks	Platform query
risk	Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]	Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]	ASM query: risks.name: `Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]`

Type

Name

Description

Query

software

Samsung MagicInfo 9 Server

This is a Samsung MagicInfo server. Samsung's MagicINFO is a comprehensive digital signage software solution that enables businesses to create, publish, and manage content across various display networks

Platform query

risk

Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]

ASM query:

risks.name: `Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]`

5 months ago

May 27, 2025

Dark mode and CT logs page in the Platform web UI, improved filtering on the ASM Ports & Protocols dashboard, two new Rapid Response bulletins.

Platform

Added dark mode to the Platform web UI. To switch between light and dark mode, click your profile icon and use the Light Mode / Dark Mode toggle.
Use the new Certificate Transparency (CT) logs page in the Platform web UI to see the logs Censys monitors as well as additional certificate metadata.
- This page always reflects the current state of Censys CT log monitoring.
- Navigate to the page via the Help menu in the top-right corner of the Platform web console.

ASM

Added the ability to filter the Ports & Protocols dashboard to a specific port range.
Added a filter option for unknown protocols to the Ports & Protocols dashboard.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Synacor Zimbra Collaboration Suite XSS Vulnerability Added to CISA KEV (CVE-2024-27443)
- Use the following queries to Zimbra Collaboration Suite instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
Srimax Output Messenger Directory Traversal Vulnerability Added to CISA KEV (CVE-2025-27920)
- Use the following queries to find instances of Srimax Output Messenger. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Srimax Output Messenger RCE Vulnerability [CVE-2025-27920]	This is an Srimax Output Messenger instance vulnerable to a directory traversal attack.	ASM query
software	Srimax Output Messenger	Srimax Output Messenger is a software product that allows users to send and receive messages from a remote server.	Platform query
software	Lantronix XPort	This is a Lantronix XPort server.	Platform query

6 months ago

May 19, 2025

Eleven new software fingerprints and a Rapid Response bulletin.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Stack-Based Buffer Overflow Vulnerability Affecting Multiple Fortinet Products [CVE-2025-32756]
- Use the following queries to find Fortinet products. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Fortinet FortiVoice Application	This is a Fortinet FortiVoice Application.	Platform query
software	Fortinet FortiNDR	This is a Fortinet FortiNDR Server.	Platform query
software	Fortinet FortiCamera	This is a Fortinet FortiCamera device.	Platform query
software	Commvault CommCell by Certificate	Commvault CommCell is a centralized management framework that coordinates and controls all data protection operations across a Commvault environment.	Platform query
software	Fortinet FortiVoice	This is a Fortinet FortiVoice Server.	Platform query
software	Fortinet FortiMail	This is a Fortinet FortiMail server.	Platform query
software	Commvault CommCell Console	The CommCell Console is the central management user interface for managing the CommCell environment.	Platform query
software	Fortinet FortiRecorder	This is a Fortinet FortiRecorder Server.	Platform query
software	Cisco Wireless Controller	This is a Cisco Wireless Controller.	Platform query
software	Cisco IOS XE	This is a device running Cisco IOS XE software.	Platform query
software	Cisco Catalyst 9800 Series Wireless Controller	This is a Cisco Catalyst 9800 Series Wireless Controller.	Platform query

An RSS feed for the Censys changelog is available here.

6 months ago

May 12, 2025

Four new software fingerprints and two Rapid Response bulletins.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Critical RCE Vulnerability Identified in Craft CMS (CVE-2025-32432)
- Use the following queries to find instances of Craft CMS. Not all of these are necessarily vulnerable, as specific version information may not be available.
Unauthenticated Code Injection Vulnerability in Langflow (CVE-2025-3248)
- Use the following queries to find exposed Langflow servers. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable SonicWall Gen7 Firewall [CVE-2024-53704]	SonicWall Gen7 Firewalls are vulnerable to an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication. This vulnerability affects SonicWall gen7 firewalls (models TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700) versions 7.1.x (7.1.1-7058 and older versions of 7.1.x only), and version 7.1.2-7019. Additionally, SonicWall Gen7 NSv (models 270, 470, and 870) versions 7.1.x (7.1.1-7058 and older versions of 7.1.x only), and version 7.1.2-7019 are affected, and the SonicWall TZ80 model (version 8.0.0-8035) is also affected.	ASM query: `risks.name="Vulnerable SonicWall Gen7 Firewall [CVE-2024-53704]"`
software	OpenCTI	This is an OpenCTI Cyber Threat Intelligence Platform.	Platform query
software	SonicWall SonicOSX	This is a SonicWall SonicOSX operating system.	Platform query
software	SonicWall SonicOS	This is a SonicWall SonicOS operating system.	Platform query
software	Langflow	Langflow is a low-code tool for building and deploying AI-powered agents and workflows.	Platform query

An RSS feed for the Censys changelog is available here.

6 months ago

May 5, 2025

Two new Rapid Response bulletins and two new software fingerprints.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

SAP NetWeaver Actively Exploited Unauthenticated File Upload Vuln (CVE-2025-31324)
Critical Pre-Authentication RCE Vulnerability in Commvault Software (CVE-2025-34028)
- Use the following queries to find internet-facing instances of Commvault software. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	eSSL eTimeTrackLite	This is an eSSL eTimeTrackLite employee time tracking and attendance management system.	Platform query
software	Commvault Command Center	This is a Commvault Command Center server.	Platform query

An RSS feed for the Censys changelog is available here.

6 months ago

April 28, 2025

New Platform web app landing page, Platform Report Builder improvements, and Ports & Protocols dashboard for ASM.

Platform

Find the information you need in the Censys Platform faster using the new web app landing page. The new landing page includes a rotating selection of example queries, data aggregations, new onboarding steps, and more.
Use the new Filter my results to display services or endpoints that match my query option on the Report Builder to limit the report results to only the services or endpoints that match your query. This option helps you build more focused reports.
- The maximum number of report buckets has also been increased to 2,000.
Integrate Censys Platform functionality with your automated workflows with the new Python and Go SDKs.
- The Python SDK is also available on PyPI.

ASM

The new Ports & Protocols Dashboard enables you to understand exactly which ports are open in your attack surface across the full 65,535-port range. This allows you to quickly determine whether there are any open ports that are misconfigured or non-compliant with your organization’s policy.
- The dashboard also shows which protocols are present on your ports. ASM identifies whether these protocols are on standard ports, as defined by IANA.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	WINRM Service Exposed	Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers.	`risks.name="WINRM Service Exposed"`
software	DPanel	This is a DPanel Docker Server.	Platform query Legacy Search query

Type

Name

Description

Query

risk

WINRM Service Exposed

Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers.

risks.name="WINRM Service Exposed"

software

DPanel

This is a DPanel Docker Server.

Platform query

Legacy Search query

An RSS feed for the Censys changelog is available here.

6 months ago

April 21, 2025

This release includes one new Rapid Response bulletin and four new software fingerprints.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Unauthenticated RCE in Erlang/OTP (CVE-2025-32433)
- Use the following queries to identify exposed Erlang SSH servers. Not all of these are necessarily vulnerable, as specific version information may not be available.
- Platform query
- Legacy Search query
- ASM query

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Microsoft Power Apps	A modern low/no-code solution developed by Microsoft..	Platform query
software	Erlang SSHS	This is an Erlang SSH Server.	Platform query Legacy Search query
software	AQUILA Radiology Imaging Software by IMEXHS	AQUILA is a radiology imaging software platform that provides digital imaging and diagnostic support for medical facilities. It is commonly used in radiology departments for managing and viewing medical images.	Platform query Legacy Search query
software	Progress Kemp Loadmaster	This host appears to be running, or be running behind a Progress Kemp Loadmaster load balancer.	Platform query Legacy Search query

An RSS feed for the Censys changelog is available here.

7 months ago

April 14, 2025

This release features five new software fingerprints and two new ASM Rapid Response risks.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Vulnerability in FortiSwitch Allows Unauthenticated Attackers to Change Admin Passwords (CVE-2024-48887)
- Use the following queries to find Fortinet FortiSwitch instances. Not all of these are necessarily vulnerable, as specific version information may not be available.
- Platform query
- Legacy Search query
- ASM query
Actively Exploited Deserialization Vulnerability in Gladinet CentreStack Secure File Sharing Software (CVE-2025-30406)
- The queries below can be used to identify exposed instances of Gladinet CentreStack, but they are not necessarily vulnerable to the exploit.
- Platform query
- Legacy Search query
- ASM query
- ASM risk query
  - This query can be used to identify exposed instances of Gladinet CentreStack that are vulnerable to the exploit.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Gladinet CentreStack [CVE-2025-30406]	Gladinet CentreStack through version 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use.	ASM query
software	Gladinet Centrestack	This is a Gladinet Centrestack Server.	Platform query Legacy Search query
software	Fortinet FortiSwitch	This is a Fortinet FortiSwitch device.	Platform query Legacy Search query
software	Dell PowerProtect	Dell PowerProtect Data Domain and Data Manager.	Platform query Legacy Search query
software	CE-WAF Proactive Web Application Firewall	CE-WAF is a custom or internal Web Application Firewall solution.	Platform query
software	Aikido Zen WAF	ZenWAF is a Web Application Firewall solution produced by Aikido.	Platform query Legacy Search query

An RSS feed for the Censys changelog is available here.