CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

The Top 10 Attack Surface Exposures in 2026

The Hacker News Archived Jun 17, 2026 ✓ Full text saved

Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a

Full text archived locally
✦ AI Summary · Claude Sonnet


    The Top 10 Attack Surface Exposures in 2026 The Hacker NewsJun 17, 2026Attack Surface Management Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place. The team at Intruder analyzed 3,000 attack surfaces to find out how much of a typical organization's attack surface consists of services that have no reason to be there. We grouped what we found into four categories — HTTP panels, risky ports and services, databases, and publicly accessible files and information. The full findings, including breakdowns by company size and industry, are in our 2026 Attack Surface Management Index. How widespread is the problem? 60% of organizations had at least one HTTP panel exposed — admin consoles, management UIs, login pages for internal tools that have no business being publicly reachable. Nearly half (49%) had a risky port or service exposed. 42% had a database reachable directly from the internet.  30% had files or information publicly accessible that shouldn't be — API documentation, config files, data that was never intended to be discoverable. The ten most common exposures These are the most common attack surface exposures affecting organizations in the past 12 months. MySQL Database Exposed — 26% Postgres Database Exposed — 16% API Documentation Exposed — 15% WordPress Admin Panel Exposed — 15% Remote Desktop Service Exposed — 11% SNMP Service Exposed — 9% phpMyAdmin Admin Panel Exposed — 8% UPnP Service Exposed — 8% NTP Service Exposed — 7% RPC Portmapper Service Exposed — 7% Databases dominate the top two spots Exposed databases take the top two spots, with more than a quarter of organizations exposing MySQL and Postgres, affecting 1 in 6. Internet-facing databases have long been a target for opportunistic attackers. The PLEASE_READ_ME ransomware campaign in 2020 compromised more than 250,000 MySQL databases by brute-forcing weak credentials. MongoDB and Elasticsearch have faced the same. API documentation is more exposed than RDP API documentation ranked third — ahead of RDP, which surprised us. Some API docs are intentionally public, but organizations frequently overlook documentation tied to private or admin-side APIs that were never meant to be discoverable. Public API docs can turn otherwise hard-to-find vulnerabilities into documented attack paths. RDP remains a ransomware entry point RDP at number five is a concern given its history as an initial access vector in ransomware attacks. BlueKeep in 2019 left nearly a million systems immediately exploitable. Credential guessing against exposed RDP remains one of the most reliable ways ransomware operators get in. The rest of the list was never meant to be internet-facing The remainder of the list — SNMP, UPnP, NTP, RPC — are legacy services designed for internal networks that were never meant to be internet-facing.  Get the full findings Most teams treat patching as the priority. But for a lot of what's on this list — databases, admin panels, legacy services — the better question is why they're reachable at all. That's where attack surface reduction comes in — and for most organizations, it's not getting the same attention as vulnerability management. The full findings, including breakdowns by company size and industry, are in the 2026 Attack Surface Management Index. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  API Security, Attack Surface Management, cybersecurity, database security, Vulnerability Management ⚡ Top Stories This Week Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Load More ▼ ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown [Watch Demo] See Which Security Gaps Attackers Could Exploit First Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗