Breaking the rules doesn’t always start on day zero. An exposed admin panel can be brute force, or credentials reused from a previous attack. But when the vulnerability goes down — like MongoBleed earlier this year, which allows attackers to pull credentials and session tokens from server memory without authentication — anything facing the Internet is immediately vulnerable.
With the turnaround time now down to one day, the question is not just how fast you can patch. That’s why the service was introduced in the first place.
The Intruder team analyzed 3,000 attack surfaces to determine how much of the average organization’s attack surface contains resources that have no reason to be there. We grouped our findings into four categories – HTTP panels, vulnerabilities and services, databases, and publicly accessible files and information.
The full findings, including a breakdown by company size and industry, are in our 2026 Offensive Management Index.
How widespread is the problem?
- 60% of organizations have at least one HTTP panel exposed – admin consoles, management UIs, login pages to internal tools that are not publicly accessible to the business.
- Almost half (49%) had a vulnerable hole or service exposed.
- 42% had a website directly accessible on the Internet.
- 30 percent had publicly accessible files or information that shouldn’t be — API scripts, configuration files, data that were never meant to be available.
Ten common exposures
This is the most common attack surface exposure affecting organizations in the past 12 months.
- MySQL Database Exposed — 26%
- Postgres Database Exposed – 16%
- API Documentation Exposed — 15%
- WordPress Admin Panel Revealed — 15%
- Remote desktop service exposure — 11%
- SNMP Service Exposed — 9%
- phpMyAdmin Admin Panel Exposed — 8%
- UPnP Service Exposed — 8%
- NTP Service Exposed — 7%
- RPC Portmapper Service Exposed — 7%
Databases dominate the top two areas
Exposed databases take the top two spots, with more than a quarter of organizations exposing MySQL and Postgres, affecting 1 in 6. Internet-facing databases have long been the target of opportunistic attackers. The PLEASE_READ_ME ransomware campaign of 2020 compromised over 250,000 MySQL databases by brute forcing weak credentials. MongoDB and Elasticsearch faced the same.
API documentation is more exposed than RDP
API documentation is ranked third – ahead of RDP, which surprised us. Some API documentation is intentionally public, but organizations often overlook documentation associated with private or admin-side APIs that were never intended to be available. Public API documentation can turn hard-to-find vulnerabilities into documented attack methods.
RDP remains an entry point for ransomware
RDP at number five is problematic given its history as a primary access point for ransomware attacks. BlueKeep in 2019 left almost a million programs immediately usable. Guessing the evidence against an exposed RDP remains one of the most reliable ways ransomware operators get in.
Some of the listings were not intended to be viewed online
The rest of the list – SNMP, UPnP, NTP, RPC – are legacy services designed for internal networks that were never intended to face the Internet.
Get complete findings
Many groups take the amendment as a priority. But for most of the items on this list – databases, management panels, legacy services – the better question is why they are accessible at all. It is there attack surface mitigation is coming in – and in many organizations, it doesn’t get the same attention as risk management.
Full findings, including a breakdown by company size and industry, for the 2026 Attack Surface Management Index.
