Breaches don’t always start with a zero-day. Sometimes it’s an admin panel that never should have been public, or a database with credentials reused from a 2019 leak. But when a vulnerability does drop — like MongoBleed, which let attackers pull credentials from server memory without authentication — anything internet-facing becomes a target immediately.
Security firm Intruder analyzed 3,000 attack surfaces to figure out what’s exposed that shouldn’t be. The results are a reality check for most organizations.
The top finding: exposed databases. MySQL databases are reachable from the internet in 26% of organizations. Postgres isn’t far behind at 16%. That’s more than a quarter of companies with a database directly accessible to anyone with network access and enough patience to try common passwords.
Next up are HTTP panels — admin consoles, management UIs, login pages for internal tools — exposed in 60% of organizations. API documentation ranked third at 15%, ahead of remote desktop at 11%. That’s notable because API docs can turn hard-to-find vulnerabilities into documented attack paths.
RDP at number five remains a concern. Credential guessing against exposed remote desktop is still one of the most reliable entry points for ransomware operators. The rest of the list — SNMP, phpMyAdmin, UPnP, NTP, RPC portmapper — are legacy services designed for internal networks that somehow ended up facing the internet.
The takeaway isn’t that patching doesn’t matter. It’s that for a lot of these exposures, the better question is why they’re reachable at all. Attack surface reduction doesn’t get the same attention as vulnerability management, but for many organizations, it would prevent more incidents than the next patch cycle ever will.
