Censys Scan Finds 98.82% of 8500 Exposed REDCap Instances on Legacy Versions

Censys mapped 8500 internet-facing REDCap deployments across 100 countries with 40% in the US. GTIG reporting documents UNC6508 probing legacy versions that Vanderbilt's architecture explicitly permits to run alongside current releases. Attackers harvested credentials on initial access then waited one year before using them for internal network traversal and data exfiltration from medical and military research organizations.

The evidence trail centers on version telemetry rather than disclosed CVEs. 16.0.17 dominates at 30% followed by 16.1.4 and 16.0.15. GTIG could not confirm initial vector but observed repeated scanning of outdated instances. This matches the documented design choice allowing side-by-side legacy execution, a configuration choice that directly enables the observed dwell time.

Widespread exposure repeats the pattern seen with other medical research platforms where public accessibility is chosen over network segmentation. The vendor recommendation to isolate the database behind a firewall is routinely ignored, creating a single point of failure for sensitive health datasets. State actors have demonstrated both the reconnaissance and the patience to exploit it.

Organizations must inventory all instances immediately, enforce 17.x upgrades, and remove direct internet exposure. Continued legacy tolerance will sustain the current access pipeline for espionage campaigns targeting academic and healthcare networks.