60% of organizations had at least one HTTP panel exposed, the team at Intruder found — an exposure that, in an era when "time-to-exploit" is measured in a single day, turns routine internet-facing services into immediate risk.
Scope and method: 3,000 attack surfaces, four exposure categories
Intruder analyzed 3,000 attack surfaces for its 2026 Attack Surface Management Index and grouped findings into four categories: HTTP panels, risky ports and services, databases, and publicly accessible files and information. Their headline statistics are stark: 60% of organizations had at least one HTTP panel (admin consoles, management UIs, login pages for internal tools) that "have no business being publicly reachable"; 49% exposed a risky port or service; 42% had a database reachable directly from the internet; and 30% left files or information publicly accessible that shouldn't be, including API documentation and configuration files.
Top 10 exposures — databases and admin panels lead the list
Intruder's ranking of the ten most common exposures over the past 12 months shows databases occupying the top two slots and a mix of web admin panels, remote access, and legacy services filling out the rest:
- MySQL Database Exposed — 26%
- Postgres Database Exposed — 16%
- API Documentation Exposed — 15%
- WordPress Admin Panel Exposed — 15%
- Remote Desktop Service Exposed — 11%
- SNMP Service Exposed — 9%
- phpMyAdmin Admin Panel Exposed — 8%
- UPnP Service Exposed — 8%
- NTP Service Exposed — 7%
- RPC Portmapper Service Exposed — 7%
Intruder points out that exposed databases—MySQL and Postgres—are particularly common, with more than a quarter of organizations exposing MySQL and one in six exposing Postgres.
Why exposed databases and API docs are especially dangerous
Internet-facing databases have long been targeted by opportunistic attackers. Intruder's note recalls the PLEASE_READ_ME ransomware campaign in 2020, which compromised more than 250,000 MySQL databases by brute-forcing weak credentials, and observes that MongoDB and Elasticsearch have faced the same pattern. API documentation, ranked third, is "more exposed than RDP" in Intruder's dataset: while some API docs are intentionally public, teams frequently overlook documentation tied to private or admin-side APIs that were never meant to be discoverable. Public API docs can convert obscure or hard-to-find vulnerabilities into clearly documented attack paths.
RDP and legacy services: old vectors still at play
Remote Desktop Service (RDP) remains a notable entry point at number five. Intruder highlights RDP's history as an initial access vector in ransomware attacks, citing BlueKeep in 2019 as an example that left nearly a million systems immediately exploitable and noting that credential guessing against exposed RDP "remains one of the most reliable ways ransomware operators get in." The rest of the list—SNMP, UPnP, NTP, RPC—are legacy services designed for internal networks "that were never meant to be internet-facing."
What this means for security teams, procurement leaders, and end users
Security teams: The data suggest shifting some attention from pure patching to attack surface reduction. Intruder argues that for many items on the list—databases, admin panels, legacy services—the "better question is why they're reachable at all," not just how fast they can be patched.
Procurement leaders: Vendors and managed services that require administrative UIs or management ports should be assessed for whether those interfaces must be internet-accessible. Intruder's breakdowns by company size and industry, available in the full 2026 Attack Surface Management Index, are meant to inform such purchase and configuration decisions.
End users and operators: Publicly accessible files and information—API documentation, config files, or data that "was never intended to be discoverable"—can expose systems even when software is otherwise up to date. Visibility and configuration controls matter as much as patch cadence.
Intruder highlights a practical, if uncomfortable, point: breaches don't always start with a zero-day. Vulnerabilities like MongoBleed earlier this year, which allowed attackers to pull credentials and session tokens from server memory without authentication, illustrate how swiftly internet-facing services can be exploited once a flaw is public. With time-to-exploit down to a single day, the concrete next step for organizations is straightforward in principle and hard in practice: ask why an administrative panel, a database, or a legacy service is reachable from the internet at all, and remove that reachability where possible.
Read the full findings: https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
