Early-warning radar

KEV-Exposure Radar

We continuously scan the public internet (via Shodan’s banner data) for servers running a software version with a known, actively-exploited vulnerability — one on CISA’s Known-Exploited-Vulnerabilities (KEV) list. Then we cross-reference our live CVE + KEV + EPSS feed. The result is a list of systems that aren’t “maybe vulnerable” — they’re running the exact version attackers are exploiting right now.

0
Internet-facing hosts running an actively-exploited CVE
0
Distinct actively-exploited (KEV) CVEs seen exposed
0
Host × CVE matches

Why this is a risk

A KEV is a vulnerability CISA has confirmed is being exploited in the wild today — working, public exploit code exists and attackers are using it. So when a server on the internet is running an affected version, it is effectively pre-breach:

  • No research needed by the attacker — the exploit is off-the-shelf.
  • • These are the exact flaws behind real ransomware and nation-state breaches (e.g. Citrix Bleed, MOVEit, Tomcat RCE).
  • • CISA legally mandates U.S. federal agencies to patch KEVs within a deadline — that’s how urgent they are.

Each CVE below links to its full detail — description, the exploited weakness, and remediation.

The radar is warming up — its first internet-wide correlation pass is in progress. Check back shortly.

Are you exposed?

Want to know if your infrastructure is in this dataset? Run a free, passive scan of your own internet-facing surface — no agent, no signup required.

Check your exposure →

How it works

How do you know it's actually exploitable?

We only count CVEs that are CISA-KEV listed (confirmed exploited in the wild) or carry a high EPSS score (high modeled probability of exploitation). The match is version-precise: we read the product + version from the public banner and check it against the affected ranges in our CVE feed — so we never claim “vulnerable” for a patched version.

Is this passive and legal?

Yes. We read Shodan’s already-public banner catalogue and correlate it with our own CVE/KEV/EPSS data. We never connect to, probe, log into, or access the hosts. It’s standard, read-only threat intelligence — the same data class as Shodan, Censys, and Shadowserver.

Why don't you show the individual IPs?

A public list of vulnerable IPs is a ready-made attacker target list — that would be irresponsible. We keep host details private for responsible disclosure to the affected organisations, and we publish only aggregate counts here. (Use the scanner above to see your own exposure.)

Aggregates only. Passive, read-only detection (public Shodan banners × our CVE/KEV/EPSS feed); host IPs withheld; affected organisations notified via responsible disclosure.