Attack Surface 2026: 42% of Companies Have Databases Exposed to the Internet

On June 17, 2026, Intruder published its Attack Surface Management Index, an analysis of roughly 3,000 organizations conducted between March 2025 and March 2026. The data draws a sharp fault line: 42% of companies have databases directly reachable from the internet, 60% expose at least one HTTP administrative panel, and remediation times for growing organizations blow past 50 days. The stakes are the viability of traditional vulnerability management itself against automated discovery techniques that have compressed time-to-exploit to a single day.

Databases and HTTP Panels: Topping the Top 10

The Intruder ranking opens with exposures that don't require zero-day vulnerabilities to be dangerous: they are misconfigurations, services placed where they never should have reached. 60% of organizations have at least one exposed HTTP panel — admin consoles, management UIs, or login pages for internal tools. 49% present ports or services deemed risky. 42% have databases directly reachable from the internet.

The database figure breaks down more granularly in the company release: over a quarter (26%) of organizations have exposed MySQL databases, and one in six has Postgres directly visible. The brief does not clarify whether the two categories are mutually exclusive. In third place in the top 10, with 30% of organizations having publicly accessible files or information, sits API documentation — a jump that leapfrogged RDP, relegated to fifth despite its documented history as an initial access vector for ransomware campaigns.

The tail of the ranking consists of legacy services never designed to be internet-facing: SNMP, UPnP, NTP, RPC. Protocols dating back decades that today form weak links in a perimeter that automated reconnaissance makes increasingly transparent to attackers.

The "Midmarket Paradox": Enterprise Complexity, SMB Resources

The most disturbing finding in the report isn't a single percentage, but a relationship: mean remediation time grows non-linearly with organization size. Small outfits (51–250 employees) close the gap in 14–18 days. Those with 5,000–10,000 take 56 days. This isn't a gap, it's an abyss — and it opens precisely in the segment acquiring infrastructure complexity without yet having matured corresponding security structures.

The sector variable amplifies the problem. According to Intruder's release, retail remediates in 10 days, banking in 11. Insurance takes nearly 50 days, automotive and pharma 43. This dispersion indicates security maturity isn't uniform even in regulated sectors, where a compliance-driven approach doesn't automatically translate to operational speed.

"With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place."

The quote, reported by The Hacker News in the context of the Intruder report, frames the problem: when exploitation happens in 24 hours, the logic of "fast patching" becomes arithmetically unsustainable. Automated attack surface discovery — via reconnaissance botnets and offensive AI models like Mythos cited by Intruder — has compressed the reaction window beyond feasibility for organizations with long remediation processes.

CISA KEV and the Map of Actively Exploited Vulnerabilities

The threat context isn't theoretical. The CISA KEV catalog, a primary source for this dossier, documents vulnerabilities with confirmed exploitation in 2026 that embody exactly the exposure categories Intruder identified. CVE-2026-20182, an authentication bypass in Cisco SD-WAN with CVSS 10.0 per the NVD record, was added to the catalog with Emergency Directive 26-03. It represents the materialization of the "exposed HTTP panels" risk: a network control plane reachable and compromisable remotely.

CVE-2026-31431, a Linux kernel flaw with CVSS 7.8 per NVD, has been in the CISA catalog since January 5, 2026. It's not the highest-scoring vulnerability on the list, but it places the problem in the infrastructure substrate itself — the kernel — where exposure often flies under the radar of superficial checks.

Technical analysis from Penligent, cited in the dossier as a primary source, corroborates the theme of active exploitation of control planes and browsers. However, the brief notes that several CVEs mentioned by Penligent — CVE-2026-20127, CVE-2026-2441, CVE-2026-21385, CVE-2026-22719 — are absent from the provided NVD sources and are therefore not verifiable in this dossier.

What to Do Now

The Intruder report doesn't provide a technical checklist, but the data yields concrete operational priorities for CISOs and security teams.

1. Map before you patch. The 42% of exposed databases and 60% of HTTP panels indicate the attack surface is often unknown to defenders themselves. Automated discovery must precede remediation: you can't protect what you can't see.

2. Reduce exposure, not just CVSS. The report's quote is explicit: for databases, admin panels, and legacy services, the right question is why they're reachable, not how fast you can patch. Attack surface reduction takes logical priority over vulnerability management.

3. Segment remediation timelines by risk class. The gap between 14 and 56 days shows patching processes don't scale with organizational size. Growing companies must build escalation triggers that cut timelines for exposures with active exploitation documented in the KEV.

4. Verify API documentation posture. API documentation overtaking RDP in the top 10 signals an emerging phenomenon: documented public APIs become targets for automated reconnaissance mapping authenticated endpoints and auth schemes. Their exposure warrants stricter criteria than in the past.

The Abyss Between "Being Vulnerable" and "Being Exposed"

The Intruder report sketches a conceptual shift security newsrooms are observing with increasing clarity. For decades, vulnerability management measured security in patches applied, CVEs closed, CVSS scores mitigated. The 2026 data indicates this metric is losing predictive power: offensive automation no longer selects victims for poor patching, but for surface visibility.

The midmarket paradox — organizational growth outpacing defensive capability growth — isn't strictly a budget problem. It's a temporal misalignment: infrastructure expands in days, security processes in months or years. When exploitation times are measured in hours, that misalignment becomes a critical risk window no traditional patch management can close.

The dossier does not specify the exact nature of data hosted in the exposed databases, nor does it document specific corrective measures adopted by the sampled organizations. These limits leave open questions about the correlation between exposure and actual impact — but they don't diminish the force of the aggregate finding: nearly half the analyzed companies have reachable attack surfaces that shouldn't be.

Sources

• https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://nvd.nist.gov/vuln/detail/CVE-2026-31431
• https://www.penligent.ai/hackinglabs/cve-2026-the-vulnerabilities-that-matter-most-right-now/
• https://nvd.nist.gov/vuln/detail/CVE-2026-20182
• https://www.businesswire.com/news/home/20260512825797/en/Intruder-Releases-2026-Attack-Surface-Management-Index-1-in-4-Organizations-Have-Exposed-MySQL-Databases
• https://www.wiz.io/academy/cloud-security/attack-surface-management-tools
• https://www.armis.com/newsroom/press/armis-centrix-named-best-solution-for-cyber-exposure-management-as-armis-wins-multiple-global-infosec-awards-at-rsac-2026/
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments

Information verified against cited sources and current as of publication.

Sources