Cybersecurity breaches often exploit exposed services rather than relying solely on zero-day vulnerabilities. For instance, an unprotected administrative panel can be brute-forced, or attackers might reuse credentials from previous breaches. The recent MongoBleed vulnerability allowed unauthorized access to server memory, exposing credentials and session tokens, highlighting the risks associated with internet-facing services.
With the time between vulnerability disclosure and exploitation now reduced to a single day, organizations must not only patch swiftly but also question why certain services are exposed to the internet in the first place.
Prevalence of Exposed Services
An analysis of 3,000 organizations’ attack surfaces revealed significant exposure:
- 60% had at least one exposed HTTP panel, such as admin consoles or internal tool login pages that should not be publicly accessible.
- 49% had risky ports or services exposed.
- 42% had databases directly reachable from the internet.
- 30% had publicly accessible files or information, including API documentation and configuration files not intended for public view.
Top 10 Common Exposures
The most prevalent attack surface exposures identified over the past year include:
- MySQL Database Exposed — 26%
- Postgres Database Exposed — 16%
- API Documentation Exposed — 15%
- WordPress Admin Panel Exposed — 15%
- Remote Desktop Service (RDP) Exposed — 11%
- SNMP Service Exposed — 9%
- phpMyAdmin Admin Panel Exposed — 8%
- UPnP Service Exposed — 8%
- NTP Service Exposed — 7%
- RPC Portmapper Service Exposed — 7%
Analysis of Key Exposures
Exposed databases top the list, with over a quarter of organizations exposing MySQL and 16% exposing Postgres. Internet-facing databases have long been targets for attackers. For example, the PLEASE_READ_ME ransomware campaign in 2020 compromised more than 250,000 MySQL databases by exploiting weak credentials.
API documentation exposure ranks third, surpassing Remote Desktop Protocol (RDP). While some API documentation is intended to be public, organizations often overlook documentation tied to private or administrative APIs, inadvertently making them discoverable. Public API documentation can transform obscure vulnerabilities into well-documented attack vectors.
RDP exposure remains a significant concern, given its history as an entry point for ransomware attacks. The BlueKeep vulnerability in 2019 left nearly a million systems vulnerable to exploitation. Credential guessing against exposed RDP services continues to be a reliable method for ransomware operators to gain access.
The remaining exposures—SNMP, UPnP, NTP, and RPC—are legacy services designed for internal networks and were never intended to be internet-facing.
While patching vulnerabilities is crucial, organizations must also focus on reducing their attack surface by limiting unnecessary exposure. This proactive approach can significantly enhance security posture and mitigate potential breaches.
