Breaches don’t always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk.
With time-to-exploit now down to a single day, the question isn’t just how fast you can patch. It’s why the service was exposed in the first place.
The team at Intruder analyzed 3,000 attack surfaces to find out how much of a typical organization’s attack surface consists of services that have no reason to be there. We grouped what we found into four categories — HTTP panels, risky ports and services, databases, and publicly accessible files and information.
The full findings, including breakdowns by company size and industry, are in our 2026 Attack Surface Management Index.
How widespread is the problem?
- 60% of organizations had at least one HTTP panel exposed — admin consoles, management UIs, login pages for internal tools that have no business being publicly reachable.
- Nearly half (49%) had a risky port or service exposed.
- 42% had a database reachable directly from the internet.
- 30% had files or information publicly accessible that shouldn’t be — API documentation, config files, data that was never intended to be discoverable.
The ten most common exposures
These are the most common attack surface exposures affecting organizations in the past 12 months.
- MySQL Database Exposed — 26%
- Postgres Database Exposed — 16%
- API Documentation Exposed — 15%
- WordPress Admin Panel Exposed — 15%
- Remote Desktop Service Exposed — 11%
- SNMP Service Exposed — 9%
- phpMyAdmin Admin Panel Exposed — 8%
- UPnP Service Exposed — 8%
- NTP Service Exposed — 7%
- RPC Portmapper Service Exposed — 7%
Databases dominate the top two spots
Exposed databases take the top two spots, with more than a quarter of organizations exposing MySQL and Postgres, affecting 1 in 6. Internet-facing databases have long been a target for opportunistic attackers. The PLEASE_READ_ME ransomware campaign in 2020 compromised more than 250,000 MySQL databases by brute-forcing weak credentials. MongoDB and Elasticsearch have faced the same.
API documentation is more exposed than RDP
API documentation ranked third — ahead of RDP, which surprised us. Some API docs are intentionally public, but organizations frequently overlook documentation tied to private or admin-side APIs that were never meant to be discoverable. Public API docs can turn otherwise hard-to-find vulnerabilities into documented attack paths.
RDP remains a ransomware entry point
RDP at number five is a concern given its history as an initial access vector in ransomware attacks. BlueKeep in 2019 left nearly a million systems immediately exploitable. Credential guessing against exposed RDP remains one of the most reliable ways ransomware operators get in.
The rest of the list was never meant to be internet-facing
The remainder of the list — SNMP, UPnP, NTP, RPC — are legacy services designed for internal networks that were never meant to be internet-facing.
Get the full findings
Most teams treat patching as the priority. But for a lot of what’s on this list — databases, admin panels, legacy services — the better question is why they’re reachable at all. That’s where attack surface reduction comes in — and for most organizations, it’s not getting the same attention as vulnerability management.
The full findings, including breakdowns by company size and industry, are in the 2026 Attack Surface Management Index.
