7 months ago

August 11, 2025

Download search results for Core and Enterprise Platform users, new Platform API endpoints for retrieving certificates in PEM format, new fingerprints for Papercut print servers and Oracle E-Business Suite, two new risks for ASM, and one Rapid Response bulletin on a flaw affecting Microsoft Exchange hybrid deployments.

Platform

Core and Enterprise users can now download search results in CSV format in the Platform UI.
- Each page of results must be downloaded separately.
- Each CSV file can contain a maximum of 100 results.

API

Added two new API endpoints to retrieve a single certificate or multiple certificates in PEM format.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

High-Severity Flaw Affecting Microsoft Exchange Hybrid Deployments [CVE-2025-53786]
- Use the following queries to find Exchange servers that may or may not have an OWA portal present. Not all of these are necessarily vulnerable. Read the blog for more information about finding OWA portals and hosts with Exchange servers and OWA portals on the same device.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Exchange Server [CVE-2025-53786]	The Microsoft Exchange application is running a version that is potentially vulnerable to CVE-2025-53786, which allows privilege escalation on on-premises Exchange Servers configured as hybrid deployments.	ASM risk query: risks.name: `Vulnerable Exchange Server [CVE-2025-53786]`
risk	Vulnerable Papercut Print Server CVE-2023-2533	This Papercut MF/NG Print Server is vulnerable to CVE-2023-2533, a CSRF vulnerability that could potentially allow an attacker to alter security settings or execute arbitrary code. This can be only be exploited if the target is an admin with a current login session, and often times requires the user to click a specially crafted malicious link. Versions < 20.1.8, 21.0.0 - 21.2.11, and 22.0.0 - 22.1.0 are affected.	ASM risk query: risks.name: `Vulnerable Papercut Print Server CVE-2023-2533`
software	Oracle E-Business Suite	Oracle E-Business Suite is an integrated set of business applications that helps enterprises manage core functions like finance, supply chain, human resources, and customer relationship management.	Platform query
software	Papercut NG Print Server	Papercut NG is a print management system.	Platform query
software	Papercut MF Print Server	Papercut MF is a print management system.	Platform query

7 months ago

August 4, 2025

Query Assistant improvements in the Platform and seventeen risks enabled for ASM, including numerous service exposures like WINRM and DCERPC.

Platform

You no longer need to click the generate button to convert natural language input into a Censys Query Language query using the Query Assistant. Instead, the query assistant now automatically converts natural language after you enter it.

ASM

The following risks are now enabled for all ASM customers.

Risk name	Description	Severity
ATG (Automatic Tank Gauging) Service Exposed	This service is running Automatic Tank Gauging (ATG) protocol used for monitoring fuel tanks and fluid levels in critical infrastructure. ATG systems control fuel distribution, inventory management, and leak detection systems. Exposure allows attackers to manipulate fuel readings, cause environmental damage, or disrupt operations.	Critical
OPC UA Service Exposed	This service is running OPC Unified Architecture (OPC UA), a critical industrial communication protocol used for data exchange between industrial equipment, SCADA systems, and manufacturing execution systems. Exposed OPC UA servers allow attackers to read sensitive operational data, modify control parameters, or disrupt industrial processes.	Critical
GE SRTP Service Exposed	This service is running GE SRTP (General Electric Service Request Transport Protocol), used for communication with GE industrial control systems, PLCs, and automation equipment. GE SRTP enables configuration, monitoring, and control of critical infrastructure equipment. Exposure allows attackers to access control systems, modify operational parameters, or cause equipment failures.	Critical
PCWORX Service Exposed	This service is running PCWORX protocol, used by Phoenix Contact PLCs and industrial automation systems. PCWORX enables programming, configuration, and real-time communication with industrial controllers in manufacturing, building automation, and process control applications. Exposure allows attackers to read/write PLC programs, modify control logic, or disrupt automated processes.	Critical
IEC 60870-5-104 Service Exposed	This service is running IEC 60870-5-104, a critical power system communication protocol used for telecontrol and SCADA in electrical power systems. This protocol controls power generation, transmission, and distribution infrastructure. Exposure allows attackers to manipulate power grid operations, cause blackouts, or damage electrical equipment.	Critical
MMS (Manufacturing Message Specification) Service Exposed	This service is running Manufacturing Message Specification (MMS), an ISO standard for real-time communication in industrial automation systems. MMS enables communication between SCADA systems, DCS controllers, and manufacturing equipment. Exposure allows attackers to read critical process data, modify control parameters, or disrupt manufacturing operations.	High
HART Service Exposed	This service is running HART (Highway Addressable Remote Transducer) protocol, used for communication with smart field devices in process automation. HART enables digital communication with sensors, transmitters, and actuators in chemical plants, refineries, and other industrial facilities. Exposure allows attackers to read process measurements, modify device configurations, or disrupt critical control loops.	High
UBIQUITI Service Exposed	This service is designed for Ubiquiti device management and configuration. Ubiquiti devices often have default credentials and known vulnerabilities, making them attractive targets for attackers seeking to gain network access or use devices in botnet attacks.	High
NETIS Service Exposed	This service is running the NETIS router configuration protocol. NETIS routers have a well-known backdoor vulnerability (CVE-2014-2321) that allows unauthenticated remote access via UDP port 53413. This backdoor has been widely exploited by malware and botnets for gaining network access and launching attacks.	Critical
SSDP Service Exposed	This service is running the Simple Service Discovery Protocol (SSDP), which is part of the UPnP protocol suite. SSDP is a major vector for DDoS amplification attacks with amplification factors up to 30x. It also exposes detailed device information that can be used for network reconnaissance and targeted attacks.	High
WS-Discovery Service Exposed	This service is running Microsoft's Web Services Dynamic Discovery (WS-Discovery) protocol used for device and service discovery on networks. When exposed to the Internet, it can be abused for DDoS amplification attacks and allows attackers to gather detailed information about internal network devices and services.	Medium
TP-Link Kasa Service Exposed	This service is running TP-Link Kasa smart home device management protocol. Exposed Kasa devices allow unauthorized users to control smart plugs, lights, cameras, and other IoT devices, potentially enabling privacy invasion, device manipulation, or using devices as entry points for further network attacks.	Medium
Chromecast Service Exposed	This service is designed for Google Chromecast streaming and control functionality. Exposed Chromecast devices can allow unauthorized users to hijack media streaming, play unwanted content, or use the device as an entry point for network reconnaissance and attacks.	Medium
Yahoo Smart TV Service Exposed	This service is designed for Yahoo Smart TV functionality and remote control capabilities. Exposed Smart TV services can be targets for unauthorized access, privacy invasion through camera/microphone access, or incorporation into IoT botnets for DDoS attacks.	Medium
IOTA Service Exposed	This service is part of the IOTA distributed ledger technology ecosystem. Exposed IOTA nodes can be targets for cryptocurrency-related attacks, DDoS amplification, or exploitation of node software vulnerabilities.	Medium
DCERPC Service Exposed	The Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol is used by many Windows services for remote management, authentication, and service control. It operates by default over port 135/TCP. Exposure of DCERPC services to the internet can allow attackers to enumerate available services, exploit unpatched vulnerabilities, and potentially execute remote code. DCERPC should never be exposed directly to the internet without strict access controls.	High
WINRM Service Exposed	Windows Remote Management (WinRM) is a Microsoft protocol used for remotely managing Windows systems via PowerShell and other tools. While powerful for automation and administration, exposing WinRM to the internet is dangerous because it can allow attackers to execute remote commands, especially if using weak or default credentials. It supports basic and NTLM authentication, which can be intercepted or brute-forced, particularly over unencrypted HTTP (port 5985). Without proper safeguards like VPN access, strong auth, and firewalls, an exposed WinRM service is a high-risk entry point for attackers.	High

7 months ago

July 31, 2025

Open directory data enhancements and suspicious directory threat, graphical investigation explorer, CensEye enhancements, and more improvements in the Platform; Chrome browser extension, and registrant email domain pivoting in ASM.

Platform

Threat Hunting

Build node-based pivot trees to discover, visualize, and understand connections between web assets in the Censys datasets using the Investigation Manager in the Platform web UI.
Use the Suspicious Directory threat to find and track web assets with open directories that contain security tools, penetration testing utilities, webshells, or other potentially malicious files. Use this threat information to find hosts and web services with suspicious files before they are leveraged in attacks.
Leverage the open directory visual explorer and open directory parsed fields to quickly understand directory information at a glance, including file names, sizes, last modified dates, and directory structure.
Made several changes to the default CensEye pivot fields for hosts, web properties, and certificates, including:
- Added TLS fingerprinting fields (JA4S, JA3S, JA4X, JARM) for better network analysis
- Added SSH, Cobalt Strike, and protocol-specific pivots for threat detection
- Added HTTP metadata fields (headers, favicons, body hashes) for web analysis
- Switched favicon hashes from MD5 to SHA256 for improved security
- Added support for specialized protocols including SCADA, Kubernetes, and SNMP

Chrome browser extension

Perform IP lookups and full-text searches from within a browser window using the Censys Chrome browser extension.

API

Added the count_by_level parameter to the aggregate endpoint to allow you to specify which document level's count is returned per term bucket, primarily for nested fields. This is the same functionality available in the Count By dropdown in the Report Builder UI.

ASM

Added registrant email domain pivoting to the ASM attribution process during seed discovery.
- If ASM finds the email address [email protected] associated with a domain that belongs to you, it will pivot to find other assets registered to any censys.com email address. If you accept an email domain as a seed, you will see many new registrant emails appear in the seed discovery list.
- If you have continuous seed discovery enabled, this update may result in more frequent seed discovery emails for newly found email addresses.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Critical CrushFTP Vulnerability Added to CISA KEV [CVE-2025-54309]
- Use the following queries to find CrushFTP servers. Not all of these are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable CrushFTP [CVE-2025-54309]	CrushFTP 11 before 11.3.4_23 (update < 756), when the DMZ proxy feature is not used, is vulnerable to CVE-2025-54309 due to mishandled AS2 validation, allowing remote attackers to obtain admin access via HTTPS.	ASM risk query: risks.name: `Vulnerable CrushFTP [CVE-2025-54309]`
software	Cisco ISE	Cisco Identity Services Engine (ISE) is a network access control and policy enforcement system that provides secure access via identity-based policies.	Platform query

Type

Name

Description

Query

risk

Vulnerable CrushFTP [CVE-2025-54309]

CrushFTP 11 before 11.3.4_23 (update < 756), when the DMZ proxy feature is not used, is vulnerable to CVE-2025-54309 due to mishandled AS2 validation, allowing remote attackers to obtain admin access via HTTPS.

ASM risk query:

risks.name: `Vulnerable CrushFTP [CVE-2025-54309]`

software

Cisco ISE

Cisco Identity Services Engine (ISE) is a network access control and policy enforcement system that provides secure access via identity-based policies.

Platform query

8 months ago

July 21, 2025

Platform MCP Server for AI agents, Platform web service screenshots, and more enhancements.

Platform

Use the Platform Model Context Protocol (MCP) Server to give your AI agents and workflows secure, governed, and direct access to the entire Censys Internet Map and Platform APIs, empowering you to hunt, triage, and respond at machine speed.
Visually investigate exposed assets on the Censys Platform with recurring and on-demand web service screenshots.
Added HTML titles (host.services.endpoints.http.html_title and web.endpoints.http.html_title) to the default pivot fields for CensEye to quickly discover related infrastructure.
Use the filter_by_query parameter on Platform API aggregate endpoints to limit aggregation results to those that match your query. This functionality is equivalent to the filter checkbox in the Report Builder UI.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues.

ToolShell Exploit Enables Unauthenticated SharePoint RCE [CVE-2025-53770]
- Use the following queries to find SharePoint servers. Not all of these are necessarily vulnerable.
Pre-Auth SQL Injection Leads to RCE in Fortinet FortiWeb [CVE-2025-25257]
- Use the following queries to find FortiWeb devices. Not all of these are necessarily vulnerable.

8 months ago

July 14, 2025

New CensEye API endpoint, Live Rescan for all Enterprise customers, enhancements to Platform AI tool configuration, recent searches in the Platform web UI, and more.

Platform

Use the CensEye value counts API to obtain counts of web assets for specific field-value pairs and combinations of field-value pairs for rapid research and analysis.
Added combined HTTP header key and value information to the default pivot fields for CensEye to quickly discover related infrastructure.
All Enterprise customers now have access to the Live Rescan feature.
Added the ability to configure AI tool usage and privacy settings at the individual user and organization level.
Added recent searches to the search bar in the Platform web UI.
Platform Starter users may now configure their Censys Credits to automatically replenish when they reach a specific amount.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Unauthenticated RCE in Wing FTP Server [CVE-2025-47812]
- Use the following queries to identify exposed Wing FTP servers. Not all of these are necessarily vulnerable.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Wing FTP Server CVE-2025-47812	This Wing FTP Server is running a vulnerable version of the software that is susceptible to CVE-2025-47812, an unauthenticated remote code execution vulnerability.	ASM risk query: `risks.name = "Vulnerable Wing FTP Server CVE-2025-47812"`
software	Wing FTP Server	This service is running a Wing FTP server.	Platform query

Type

Name

Description

Query

risk

Vulnerable Wing FTP Server CVE-2025-47812

This Wing FTP Server is running a vulnerable version of the software that is susceptible to CVE-2025-47812, an unauthenticated remote code execution vulnerability.

ASM risk query:

risks.name = "Vulnerable Wing FTP Server CVE-2025-47812"

software

Wing FTP Server

This service is running a Wing FTP server.

Platform query

8 months ago

July 7, 2025

CVE risk rescan and scan data links in ASM, three new software fingerprints, and one new Rapid Response bulletin.

ASM

Use the ability to rescan CVE risks on host risk cards in the ASM web console to verify that a CVE risk has been closed after completing your or remediation workflows. Use the View Scan Data button to see the scan data for the service.
Added the ability to copy data field names from table header rows in the ASM web console to quickly search your inventory for relevant assets.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	MCP Inspector	MCP Inspector is a developer tool that enables inspection and debugging of Model Context Protocol workflows.	Platform query
software	BentoML	BentoML is an open-source platform designed to help developers package and deploy machine learning models.	Platform query
software	AMI MegaRAC SP-X Firmware	This is a device running AMI MegaRAC SP-X firmware, a proprietary Linux-based platform for Baseboard Management Controllers (BMCs). MegaRAC SP-X provides out-of-band management functionality via interfaces like Redfish, IPMI, and a web GUI, and is commonly deployed in enterprise servers and datacenter hardware.	Platform query

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439]
- Use the following queries to identify exposed MegaRAC SPx firmware. Not all of these are necessarily vulnerable, as specific version information may not be available.

8 months ago

June 30, 2025

Five new hardware and software fingerprints and three new risks for ASM.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issue.

Multiple Vulnerabilities in NetScaler Gateway & ADC [CVE-2025-5777 & CVE-2025-6543 & CVE-2025-5439]
- Use the following queries to identify exposed NetScaler Gateway and ADC instances. Not all of these are necessarily vulnerable, as specific version information may not be available.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
hardware	Planet Router	This is a Planet Technology Corporation router or network device.	Platform query
software	Wordpress Plugin - Rank Math SEO	A very popular search engine optimization plugin for Wordpress.	Platform query
software	wordpress-plugin-wp-rocket	A wordpress performance-based plugin to speed up websites with caching.	Platform query
software	wordpress-plugin-wpforms	A wordpress plugin associated with POST forms.	Platform query
software	Wordpress Plugin - Yoast SEO	A search-engine optimization plugin for wordpress.	Platform query
risk	Vulnerable Citrix Netscaler Application [CVE-2025-6543]	This device is vulnerable to CVE-2025-6543 - A memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server, potentially leading to remote code execution.	ASM risk query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-6543]`
risk	Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777]	This device is vulnerable to CVE-2025-5349, which involves improper access control on the NetScaler Management Interface, and CVE-2025-5777, which results from insufficient input validation leading to memory overread. Successful exploitation of CVE-2025-5349 may allow unauthorized changes or lateral movement within the network, while CVE-2025-5777 could enable attackers to read sensitive memory contents such as session tokens or credentials by hijacking sessions.	ASM risk query: risks.name: `Vulnerable Citrix Netscaler Application [CVE-2025-5349, CVE-2025-5777]`
risk	Vulnerable Sitecore Experience Platform [CVE-2025-34509]	Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP. [CVE-2025-34509]. We cannot detect the revision number of the software, so this risk is medium confidence and assumes 10.4.1/10.3.3/10.1.4 are vulnerable.	ASM risk query: risks.name: `Vulnerable Sitecore Experience Platform [CVE-2025-34509]`

9 months ago

June 23, 2025

CVE risk exploit context in ASM, two new software fingerprints, and one risk fingerprint.

ASM

Use new CVE risk exploit context data to help you understand, triage, and remediate risks in your attack surface.
- New context data includes risk exploit maturity status, threat actor, botnet, and ransomware enrichment, EPSS scores, and CVSSv4 scores.
  Details, description, and threat context information on the CVE details page.
  
  Exploit information and links on the CVE details page.
- CVE risk exploit context is available to all ASM Enterprise customers. ASM Advanced customers may purchase access to it.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
risk	Vulnerable Erlang OTP Instance [CVE-2025-32433]	This service is running a vulnerable version of Erlang OTP that is affected by unauthenticated remote code execution vulnerability CVE-2025-32433. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling.	ASM query: risks.name: `Vulnerable Erlang OTP Instance [CVE-2025-32433]`
software	Mottech ICC Pro Control System	ICC PRO is a control platform for centralized and remote irrigation management. It communicates with system components to monitor and control sites, providing real-time status and performance data for devices such as valves, water meters, sensors, and pumps. The software supports continuous monitoring and execution of irrigation programs.	Platform query
software	RainMachine Web Application	RainMachine is a web-based application that allows users to monitor and control their irrigation system from remote devices.	Platform query

Type

Name

Description

Query

risk

Vulnerable Erlang OTP Instance [CVE-2025-32433]

This service is running a vulnerable version of Erlang OTP that is affected by unauthenticated remote code execution vulnerability CVE-2025-32433. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling.

ASM query:

risks.name: `Vulnerable Erlang OTP Instance [CVE-2025-32433]`

software

Mottech ICC Pro Control System

ICC PRO is a control platform for centralized and remote irrigation management. It communicates with system components to monitor and control sites, providing real-time status and performance data for devices such as valves, water meters, sensors, and pumps. The software supports continuous monitoring and execution of irrigation programs.

Platform query

software

RainMachine Web Application

RainMachine is a web-based application that allows users to monitor and control their irrigation system from remote devices.

Platform query

9 months ago

June 16, 2025

Four new fingerprints and two Rapid Response bulletins.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets
- Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit.
  - Platform query
  - Legacy Search query
  - ASM query
  - ASM risk query
    - This query can be used to find instances of Wazuh server that are vulnerable to the exploit.
Roundcube Webmail Vulnerable to Authenticated RCE [CVE-2025-49113]
- Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin.
  - Platform query
  - Legacy Search query
  - ASM query
  - ASM risk query
    - This query can be used to find instances of Roundcube Webmail that are vulnerable to the exploit.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	Synology VPN Plus Server	This is a Synology VPN Plus Server.	Platform query
software	3CX Web Client	The 3CX Web Client is a browser-based application that provides users with tools for communication and collaboration, including call management, video conferencing, live chat, and integration with messaging platforms such as WhatsApp, Facebook, and SMS/MMS.	Platform query
risk	Vulnerable Wazuh [CVE-2025-24016]	An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.	ASM query: risks.name: `Vulnerable Wazuh [CVE-2025-24016]`
risk	Vulnerable Roundcube [CVE-2025-49113]	This is a Roundcube server running a version of Roundcube that is vulnerable to CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.	ASM query: risks.name: `Vulnerable Roundcube [CVE-2025-49113]`

9 months ago

June 10, 2025

Platform Query Assistant beta for all users, Platform Threat Hunting module release, general availability for the Platform, two Rapid Response bulletins, several new risk fingerprints, and one new software fingerprint.

Platform

Quickly generate valid search Censys Query Language (CenQL) queries using natural language input with the new Query Assistant tool in the Platform web UI.
- Query Assistant is a beta feature available to all Platform users.
Use the Platform Threat Hunting module to detect, analyze, and track threat infrastructure with speed and precision. The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. The Threat Hunting module includes the following:
- The Platform threat dataset that maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties.
- Interactive Explore Threats page that provides a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
- CensEye automated pivoting tool to help you identify web assets on the internet that share a specific key-value pair with an asset of interest to quickly pivot into related infrastructure.
- Live Rescan and Discovery to run fresh scans on specific ports to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans.
- Certificate Timeline that provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.
The Censys Platform is now generally available to all customers.

Rapid Response

The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.

ConnectWise ScreenConnect Vulnerability Added to CISA KEV [CVE-2025-3935]
- Use the following queries to find instances of ConnectWise ScreenConnect. Not all of these are necessarily vulnerable, as specific version information may not be available.
vBulletin Allows Unauthenticated Users to Invoke Protected API Controllers’ Methods to Achieve RCE [CVE-2025-48827-48828]
- Use the following Platform query to find vulnerable vBulletin instances. It requires a Starter or Enterprise plan, as it uses regex.
  - Platform query
- Use the following queries to find vBulletin instances. Not all of these are necessarily vulnerable, as version-related information is not targeted using these queries.

New fingerprints

Added the following fingerprints.

Type	Name	Description	Query
software	vBulletin	vBulletin is a PHP-based bulletin board software that is used to create and manage online forums.	Platform query
risk	Insecure SNMP Service Exposed	This service is running SNMPv1 or SNMPv2, which transmit community strings in plaintext and lack proper authentication and encryption. Attackers can easily sniff network traffic to determine community strings, enabling man-in-the-middle attacks, replay attacks, and unauthorized access to network device management functions.	ASM query: risks.name: `Insecure SNMP Service Exposed`
risk	Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]	This is a ConnectWise server is running a version vulnerable to CVE-2025-3935, a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. It is important to note that to obtain these machine keys, privileged system level access must be obtained. If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server. The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior.	ASM query: risks.name: `Vulnerable ConnectWise ScreenConnect [CVE-2025-3935]`
risk	Vulnerable vBulletin [CVE-2025-48827]	vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later	ASM query: risks.name: `Vulnerable vBulletin [CVE-2025-48827]`
risk	ASUS Backdoor IOC	This ASUS device has SSH running on the high, ephemeral port TCP/53282, a port that has been linked with a malicious backdoor installed by the AyySSHush botnet. It's recommended to examine this device for the specific attacker-controlled SSH key associated with this botnet.	ASM query: risks.name: `ASUS Backdoor IOC`