KEV-Exposure Radar
We continuously scan the public internet (via Shodan’s banner data) for servers running a software version with a known, actively-exploited vulnerability — one on CISA’s Known-Exploited-Vulnerabilities (KEV) list. Then we cross-reference our live CVE + KEV + EPSS feed. The result is a list of systems that aren’t “maybe vulnerable” — they’re running the exact version attackers are exploiting right now.
Why this is a risk
A KEV is a vulnerability CISA has confirmed is being exploited in the wild today — working, public exploit code exists and attackers are using it. So when a server on the internet is running an affected version, it is effectively pre-breach:
- • No research needed by the attacker — the exploit is off-the-shelf.
- • These are the exact flaws behind real ransomware and nation-state breaches (e.g. Citrix Bleed, MOVEit, Tomcat RCE).
- • CISA legally mandates U.S. federal agencies to patch KEVs within a deadline — that’s how urgent they are.
Each CVE below links to its full detail — description, the exploited weakness, and remediation.
Most-exposed actively-exploited CVEs
| CVE | Severity | CVSS | EPSS | Exposed hosts |
|---|---|---|---|---|
| CVE-2023-44487 | HIGH | 7.5 | 94% | 102 |
| CVE-2023-29552 | HIGH | 7.5 | 92% | 97 |
| CVE-2025-24813 | CRITICAL | 9.8 | 94% | 89 |
| CVE-2016-8735 | CRITICAL | 9.8 | 94% | 79 |
| CVE-2023-6549 | HIGH | 8.2 | 80% | 52 |
| CVE-2023-6548 | MEDIUM | 5.5 | 6% | 52 |
| CVE-2025-14847 | HIGH | 7.5 | 57% | 51 |
| CVE-2023-4966 | CRITICAL | 9.4 | 94% | 51 |
| CVE-2023-3519 | CRITICAL | 9.8 | 93% | 50 |
| CVE-2025-5777 | HIGH | 7.5 | 65% | 50 |
| CVE-2025-6543 | CRITICAL | 9.8 | 1% | 50 |
| CVE-2025-7775 | CRITICAL | 9.8 | 8% | 50 |
By software
- Esxi97
- Tomcat89
- Http Server60
- Netscaler Gateway52
- Mongodb51
- Jenkins25
- Drupal24
- Wordpress23
- Nginx6
- Internet Information Services3
- Exchange Server2
- Fortios1
By country
- United States77
- China52
- Australia47
- Germany27
- France23
- Brazil16
- Korea, Republic of14
- India11
- Netherlands11
- Viet Nam10
Are you exposed?
Want to know if your infrastructure is in this dataset? Run a free, passive scan of your own internet-facing surface — no agent, no signup required.
Check your exposure →How it works
How do you know it's actually exploitable?
We only count CVEs that are CISA-KEV listed (confirmed exploited in the wild) or carry a high EPSS score (high modeled probability of exploitation). The match is version-precise: we read the product + version from the public banner and check it against the affected ranges in our CVE feed — so we never claim “vulnerable” for a patched version.
Is this passive and legal?
Yes. We read Shodan’s already-public banner catalogue and correlate it with our own CVE/KEV/EPSS data. We never connect to, probe, log into, or access the hosts. It’s standard, read-only threat intelligence — the same data class as Shodan, Censys, and Shadowserver.
Why don't you show the individual IPs?
A public list of vulnerable IPs is a ready-made attacker target list — that would be irresponsible. We keep host details private for responsible disclosure to the affected organisations, and we publish only aggregate counts here. (Use the scanner above to see your own exposure.)