Censys Finds 8,500 Exposed REDCap Servers, With Only 1.18% on Latest Version
Updated
Updated · SecurityWeek · Jun 18
Censys Finds 8,500 Exposed REDCap Servers, With Only 1.18% on Latest Version
1 articles · Updated · SecurityWeek · Jun 18
Summary
Only 1.18% of roughly 8,500 internet-exposed REDCap instances were running the latest 17.1.3 release as of June 16, while most observed systems used older 16.x versions, Censys said.
Google’s threat intelligence unit reported in June that China-linked UNC6508 has routinely targeted legacy REDCap servers since September 2023, hitting major US medical, academic and military research organizations for cyberespionage.
In one intrusion, the attackers planted custom credential-harvesting malware, later deployed the InfiniteRed backdoor, stayed undetected for a year and then used stolen logins to move inside the victim network and exfiltrate data.
Censys said REDCap’s ability to run legacy software alongside current versions may widen exposure; about 40% of exposed servers are in the US, with the rest spread across 100 countries.
Organizations using the clinical research platform were urged to inventory REDCap instances, patch them and keep database servers behind a firewall rather than directly exposed to the web.