Intruder finds exposed MySQL databases in 26% of firms

Intruder has released its 2026 Attack Surface Management Index, which found that 26% of organisations have exposed MySQL databases.

Drawing on anonymised data from more than 3,000 customers, the study examines the most common internet-facing exposures, how long they remain in place, and how patterns differ by sector and company size.

MySQL databases were the most common single exposure identified. More than one in seven organisations also had exposed API documentation, placing it ahead of Remote Desktop Protocol, which is often linked to ransomware attacks.

The findings point to broader weaknesses across internet-facing systems. Nearly half of organisations, 49%, exposed risky ports and services, with RDP the most common in that group.

Administrative interfaces also featured prominently. WordPress Admin was exposed in 15% of organisations in the dataset, while phpMyAdmin appeared in 8%.

Older network services remained visible as well. SNMP was exposed in 9% of organisations and UPnP in 8%, even though both are intended for internal networks rather than public internet access.

Chris Wallis, chief executive officer and founder of Intruder, linked the findings to changes in the wider threat landscape.

"The emergence of autonomous AI models like Mythos has fundamentally shifted the cybersecurity landscape. The security industry is seeing a major compression in the time between vulnerability discovery and exploitation. In this high-speed era, leaving a MySQL database or private API documentation exposed to the internet is an open invitation for automated, high-speed extortion," Wallis said.

Size gap

Exposure management becomes harder as organisations grow. Businesses with more than 5,000 employees managed more than twice as many external assets as those with 1,000 to 5,000 employees, and almost 35 times more than companies with 51 to 250 staff.

That growth also appears to slow remediation. Small organisations fixed issues fastest, taking an average of 14 to 18 days, while firms with 5,000 to 10,000 employees took an average of 56 days to remove exposures.

Intruder described this as a particular challenge for the midmarket, defined as businesses with 251 to 5,000 employees, and for companies scaling towards enterprise size. These organisations often face the complexity of larger estates without equivalent staffing or budgets.

Sector divide

The data also showed a sharp divide between sectors. Banks and retailers recorded the shortest remediation periods, taking 11 days and 10 days respectively to address exposures.

By contrast, insurance firms took nearly 50 days on average. Pharmaceutical and automotive companies each averaged 43 days, while financial services businesses outside banking took 24 days.

Wallis said the contrast pointed to uneven levels of operational maturity across industries.

"The data highlights a significant maturity gap between sectors. Banks and retailers have streamlined their attack surface reduction processes to a matter of days, but sectors like insurance and pharmaceuticals are taking weeks longer. Many of the exposures we examined don't even need a CVE to be exploited. For example, an exposed database or admin panel can be compromised through brute force or credential stuffing alone. As a result, remediation efforts that take 40-50 days leave this window open far too long," he said.

Exposure trends

The index grouped exposures into HTTP panels, ports, services, databases, files and information made accessible on the public internet. Databases ranked first among the categories highlighted in the findings.

The report comes amid growing attention on the time between vulnerability discovery and exploitation. Intruder argued that when an unnecessary service remains reachable from the internet, organisations face avoidable risk even before a software flaw is formally catalogued.

That argument is reflected in the report's focus on exposures that can be abused without a published vulnerability identifier. Publicly accessible admin panels, database interfaces and documentation can give attackers direct routes for brute-force attempts, credential stuffing and follow-on reconnaissance.

For larger organisations, the findings suggest attack surface growth is not linear. As digital estates expand across cloud services, web applications and administrative tooling, the number of external assets can rise faster than teams' ability to track and close gaps.

Smaller businesses showed a different pattern. Although they managed fewer assets overall, they closed exposures more quickly, with remediation times measured in weeks rather than months.

The report is based on customer data collected over a year-long period ending in March 2026 and covers organisations across multiple industries and size bands. It found that exposed databases, internet-facing admin interfaces and public API documentation remain among the most persistent weaknesses across the external attack surface.