MySQL exposures & slow fixes plague firms, study finds

Intruder has released its 2026 Attack Surface Management Index, based on anonymised data from 3,000 organisations.

The report found that 26% of organisations had MySQL databases exposed to the internet. More than one in seven had exposed API documentation, while 49% exposed risky ports and services, most commonly Remote Desktop Service.

Other internet-facing systems identified in the data included WordPress Admin, present in 15% of organisations, and phpMyAdmin, found in 8%. Legacy services also remained visible on the public internet, with SNMP exposed in 9% of organisations and UPnP in 8%.

The figures point to persistent weaknesses in how companies manage systems that should not be reachable from outside their networks. The findings come as security teams face concerns that AI tools could shorten the time between the discovery of a software flaw and its exploitation.

"The emergence of autonomous AI models like Mythos has fundamentally shifted the cybersecurity landscape," said Chris Wallis, Chief Executive Officer and Founder of Intruder.

"The security industry is seeing a major compression in the time between vulnerability discovery and exploitation. In this high-speed era, leaving a MySQL database or private API documentation exposed to the internet is an open invitation for automated, high-speed extortion."

Remediation times

The data also showed large differences in how quickly organisations removed exposed assets. Smaller organisations were the fastest to act, taking an average of 14 to 18 days to remediate issues. Firms with 5,000 to 10,000 employees took 56 days on average.

That group was the slowest in the dataset, with remediation times nearly four times longer than those of smaller businesses. Intruder described this as a midmarket bottleneck, where companies face growing technical complexity without the resources of the largest enterprises.

The study linked the slowdown to the rising number of external assets organisations must monitor. Businesses with more than 5,000 employees managed more than twice as many external assets as those with 1,000 to 5,000 employees, and almost 35 times more than companies with 51 to 250 employees.

Sector divide

The report found a sharp split between industries in remediation speed. Banks took an average of 11 days to close exposures, while retail firms averaged 10 days.

Insurance companies took far longer, requiring nearly 50 days on average to address similar issues. Pharmaceutical and automotive firms also lagged, with remediation times averaging 43 days, while financial services firms outside banking averaged 24 days.

Wallis said the gaps reflected uneven security maturity across sectors.

"The data highlights a significant maturity gap between sectors.

"Banks and retailers have streamlined their attack surface reduction processes to a matter of days, but sectors like insurance and pharmaceuticals are taking weeks longer. Many of the exposures we examined don't even need a CVE to be exploited. For example, an exposed database or admin panel can be compromised through brute force or credential stuffing alone. As a result, remediation efforts that take 40-50 days leave this window open far too long."

Exposure trends

The index grouped exposures into categories including HTTP panels, ports, services, databases, files and information visible from the internet. Exposed databases ranked as the leading issue in the data, with MySQL at the top and Postgres also featuring prominently in the wider findings.

According to the report, API documentation ranked ahead of Remote Desktop in the list of exposures. Such documentation can reveal details about internal systems and available functions, even when it is not intended for public access.

Admin interfaces also remained a recurring issue. Systems such as WordPress Admin and phpMyAdmin are commonly used for site and database management, but are generally intended for internal or tightly controlled access rather than open internet exposure.

The same applied to older network services such as SNMP and UPnP, which are often designed for private networks. Their continued presence on the public internet suggests some organisations still carry legacy configuration risks alongside newer web-facing services.

Founded in 2015, Intruder said the analysis was based on customer data collected over a 12-month period ending in March 2026. It now works with more than 3,000 customers worldwide.