What the EU's Internet Looks Like From the Outside: A Shodan Exposure Research Paper Across 14 Protocols
Research Period: March 1, 2026 to March 7, 2026
Abstract
This paper presents a visibility analysis of publicly reachable network services across all 27 European Union member states, conducted between March 1 and March 7, 2026. Using Shodan indexed data, we examined 14 protocols spanning legacy remote access, relational and NoSQL databases, analytics infrastructure, remote desktop protocols, and industrial control systems.
Total observable exposure across all 14 protocols exceeds 2.85 million publicly reachable services within the EU alone. This research does not constitute a vulnerability assessment. No systems were exploited or accessed beyond what they present publicly. The purpose is to quantify and contextualise the EU's externally visible attack surface.
Important Limitations and Scope Boundaries
Shodan Does Not See Everything
Shodan is comprehensive but has meaningful blind spots. Not every internet-connected device is indexed. The figures in this paper are conservative floor estimates. The actual number of publicly reachable services is likely higher than what Shodan indexes.
Port Does Not Guarantee Protocol
Not every service responding on a given port is the expected protocol. Where fingerprinting confidence is high we note confirmed instance counts. Where it is low we caveat accordingly.
Exposed Does Not Mean Vulnerable
A service being publicly reachable does not automatically mean it is exploitable or misconfigured. Many organisations legitimately expose services with appropriate controls in place. Exposure is a precondition for attack, not an attack itself. What exposure does is increase the number of entities that can attempt to interact with your service. Best practices matter precisely because the gap between exposed and properly hardened versus exposed and misconfigured is the entire difference between a non-event and a critical incident.
Methodology
Research period: March 1, 2026 to March 7, 2026
Scope: All 27 European Union member states
AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE
Data source: Shodan indexed visibility data. All results reflect observable exposure only.
The Full Picture at a Glance
| Protocol | Port | Total EU Exposed | Primary Risk |
|---|---|---|---|
| FTP | 21 | 1,302,357 | Data leakage, anonymous access |
| RDP | 3389 | 416,856 | Brute force, ransomware delivery |
| MySQL | 3306 | 233,262 | Direct database access, legacy exploits |
| SMB | 445 | 210,306 | Wormable exploits, NTLM relay |
| PostgreSQL | 5432 | 185,649 | Credential attacks, CVE targeting |
| Telnet | 23 | 121,174 | Cleartext credentials, botnet targeting |
| MSSQL | 1433 | 71,655 | OS command execution, brute force |
| VNC | 5900 | 69,622 | Full desktop takeover |
| Redis | 6379 | 61,718 | RCE via misconfiguration |
| MongoDB | 27017 | 60,534 | Full database access, ransomware wipe |
| Modbus | 502 | 45,129 | Physical process manipulation |
| Elasticsearch | 9200 | 42,314 | Data exposure, unauthenticated API access |
| Kibana | 5601 | 24,902 | Log browsing, Elastic stack pivot |
| Docker API | 2375 | 17,661 | Full host compromise, no exploit needed |
Country Exposure Overview
The table below shows each EU member state's exposure across all 14 protocols. Figures represent Shodan-indexed services on the associated port at the time of collection.
| Country | FTP (21) | Telnet (23) | SMB (445) | RDP (3389) | Postgr. (5432) | MySQL (3306) | Redis (6379) | Mongo (27017) | Elastic (9200) | Kibana (5601) | VNC (5900) | MSSQL (1433) | Modbus (502) | Docker (2375) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DE | 436,652 | 17,941 | 67,370 | 162,302 | 87,529 | 196,327 | 25,875 | 20,307 | 13,487 | 7,415 | 17,287 | 18,468 | 9,757 | 4,639 |
| FR | 197,349 | 15,484 | 33,942 | 52,134 | 23,511 | 99,376 | 8,633 | 6,405 | 7,835 | 4,293 | 8,387 | 10,402 | 5,039 | 2,871 |
| NL | 126,486 | 7,928 | 18,823 | 58,621 | 24,812 | 67,387 | 10,542 | 15,453 | 7,942 | 4,357 | 6,868 | 11,545 | 4,591 | 3,209 |
| PL | 94,712 | 8,102 | 7,503 | 11,585 | 44,933 | 58,346 | 1,510 | 1,434 | 1,561 | 1,098 | 2,966 | 2,520 | 1,751 | 916 |
| IT | 89,119 | 24,561 | 14,859 | 19,852 | 4,745 | 17,785 | 1,121 | 1,111 | 1,672 | 941 | 6,623 | 4,932 | 4,016 | 725 |
| ES | 70,520 | 10,403 | 10,157 | 22,482 | 4,447 | 27,834 | 1,648 | 1,413 | 1,970 | 1,421 | 5,036 | 5,302 | 3,828 | 1,227 |
| CZ | 34,596 | 4,047 | 4,833 | 10,157 | 2,472 | 8,136 | 1,255 | 1,264 | 1,146 | 805 | 2,390 | 1,864 | 1,241 | 724 |
| RO | 28,650 | 4,530 | 3,522 | 4,956 | 2,302 | 13,419 | 705 | 387 | 519 | 365 | 2,347 | 1,859 | 1,200 | 281 |
| FI | 28,486 | 3,160 | 12,177 | 17,454 | 11,729 | 15,848 | 4,218 | 2,278 | 1,553 | 843 | 3,211 | 1,926 | 524 | 327 |
| HU | 20,854 | 4,040 | 5,211 | 4,801 | 1,016 | 6,278 | 320 | 226 | 303 | 217 | 1,304 | 601 | 412 | 175 |
| SE | 20,229 | 3,746 | 5,638 | 8,525 | 4,558 | 8,833 | 1,748 | 1,648 | 1,467 | 1,250 | 2,505 | 1,931 | 4,118 | 1,110 |
| BE | 16,012 | 691 | 1,287 | 3,816 | 4,956 | 5,009 | 547 | 4,604 | 363 | 225 | 1,098 | 685 | 1,354 | 168 |
| AT | 15,579 | 1,524 | 1,849 | 3,631 | 1,052 | 3,297 | 495 | 261 | 354 | 206 | 1,105 | 522 | 443 | 161 |
| BG | 14,530 | 2,734 | 2,002 | 4,212 | 1,263 | 4,816 | 350 | 122 | 193 | 156 | 1,550 | 2,282 | 302 | 113 |
| DK | 12,935 | 1,007 | 1,315 | 2,322 | 768 | 3,479 | 307 | 171 | 159 | 118 | 693 | 369 | 2,470 | 96 |
| PT | 11,808 | 2,098 | 6,204 | 3,429 | 718 | 4,509 | 241 | 173 | 473 | 185 | 806 | 1,305 | 322 | 163 |
| IE | 8,787 | 1,252 | 1,650 | 7,272 | 3,442 | 3,001 | 1,328 | 2,563 | 579 | 466 | 1,710 | 1,907 | 386 | 316 |
| EE | 8,649 | 346 | 805 | 1,253 | 430 | 2,486 | 121 | 46 | 67 | 47 | 367 | 126 | 307 | 39 |
| LT | 6,906 | 692 | 2,726 | 4,014 | 516 | 3,248 | 209 | 81 | 102 | 60 | 347 | 361 | 1,577 | 36 |
| GR | 6,705 | 1,859 | 1,378 | 2,897 | 545 | 1,827 | 201 | 169 | 176 | 127 | 1,337 | 951 | 351 | 108 |
| CY | 6,456 | 284 | 447 | 508 | 138 | 293 | 115 | 63 | 94 | 74 | 168 | 245 | 113 | 78 |
| SK | 5,826 | 940 | 1,119 | 1,909 | 652 | 1,758 | 78 | 59 | 71 | 55 | 414 | 249 | 241 | 32 |
| LV | 4,170 | 616 | 1,346 | 1,525 | 501 | 2,274 | 136 | 70 | 116 | 67 | 365 | 195 | 353 | 43 |
| HR | 3,212 | 630 | 680 | 1,862 | 392 | 726 | 73 | 55 | 75 | 46 | 280 | 731 | 147 | 35 |
| SI | 3,123 | 520 | 297 | 1,022 | 570 | 746 | 50 | 38 | 75 | 28 | 299 | 283 | 141 | 33 |
| LU | 1,278 | 86 | 202 | 569 | 140 | 925 | 49 | 10 | 32 | 18 | 76 | 51 | 24 | 18 |
| MT | 406 | 146 | 149 | 183 | 33 | 90 | 21 | 19 | 20 | 19 | 83 | 43 | 121 | 18 |
| Total | 1,274,035 | 119,367 | 207,491 | 413,293 | 228,170 | 558,053 | 61,896 | 60,430 | 42,404 | 24,902 | 69,622 | 71,655 | 45,129 | 17,661 |
*Data collected via Shodan across all 27 EU member states. Research period: March 1, 2026 to March 7, 2026. All queries represent visibility snapshots only and do not constitute exploitation attempts or vulnerability assessments. Not every service on a given port is confirmed to be the associated protocol. Fingerprinting is based on banner data and Shodan indexing methodology. Figures represent conservative floor estimates. Actual exposure may be higher than indexed values.*
Protocol Analysis
1. FTP: The Protocol That Refuses to Retire
Port 21 | Total EU Exposure: 1,302,357
FTP is one of the oldest protocols still running on the internet. Designed before encryption was a consideration, it transmits credentials and data in cleartext. It remains the most widely exposed service in this entire dataset.
Germany alone accounts for roughly one-third of all EU FTP exposure. Out of 1.3 million exposed services, 10,505 allow anonymous login, meaning no credentials are required to connect and browse.
| Country | Anonymous FTP | Ratio |
|---|---|---|
| Germany | 2,183 | ~0.49% |
| France | 1,797 | ~0.89% |
| Poland | 1,578 | ~1.64% |
| Italy | 1,559 | ~1.73% |
| Netherlands | 814 | ~0.62% |
2. Telnet: A Prehistoric Protocol Still Answering Calls
Port 23 | Total EU Exposure: 121,174
Telnet transmits everything including credentials in cleartext. It has very few legitimate public-facing use cases in 2026. Italy leads EU Telnet exposure at 24,738, ahead of Germany at 18,241 — a notable reversal from every other protocol in this dataset.
| Product | Instances |
|---|---|
| BusyBox telnetd | 8,229 |
| Cisco router telnetd | 5,469 |
| Orinoco WAP telnetd | 1,194 |
| Windows XP telnetd | 425 |
3. SMB: The WannaCry Protocol, Still Exposed
Port 445 | Total EU Exposure: 210,306
SMB was designed for file and printer sharing inside trusted networks. Germany accounts for roughly one-third of all EU SMB exposure at 68,279 instances.
| Operating System | Instances |
|---|---|
| Windows 6.1 (Windows 7 / Server 2008 R2) | 13,219 |
| Windows Server 2016 Standard | 9,747 |
| Unix | 7,644 |
| Windows Server 2012 R2 Standard | 7,341 |
| Windows Server 2016 Datacenter | 4,475 |
| Windows Server 2008 R2 SP1 | 1,087 |
4. RDP: Remote Desktop, Remotely Dangerous
Port 3389 | Total EU Exposure: 416,856
RDP has legitimate modern use cases. The problem is how much of it faces the internet directly without layered protection. Germany accounts for nearly 40% of all EU RDP exposure at 163,826 instances.
| Service | Instances |
|---|---|
| Remote Desktop Protocol | 387,565 |
| nginx | 761 |
| OpenSSH | 365 |
| Hikvision IP Camera | 94 |
| OpenVPN | 39 |
| VNC | 31 |
| MariaDB | 28 |
| MySQL | 13 |
| Operating System | Instances |
|---|---|
| Windows Server 2022 | 116,126 |
| Windows 10 build 17763 | 72,698 |
| Windows 11 build 26100 | 51,526 |
| Windows 10 build 19041 | 38,785 |
| Windows 10 build 14393 | 37,113 |
| Windows Server 2012 R2 | 12,511 |
| Windows 8.1 build 9600 | 11,339 |
| Windows 7 / Server 2008 R2 | 1,943+ |
5. PostgreSQL: Database Servers, Publicly Reachable
Port 5432 | Total EU Exposure: 185,649
PostgreSQL powers fintech platforms, SaaS products, government systems, and cloud-native architectures. It is not designed to be internet-facing. Germany leads at 74,128 instances. **Poland ranks second at 31,822**, a significant anomaly compared to its position in most other protocol datasets.
6. MySQL: A Quarter of a Million Database Servers
Port 3306 | Total EU Exposure: 233,262
MySQL is one of the most widely deployed databases in the world. Germany appears in the global top 4 at 84,761 instances.
| Version | Instances |
|---|---|
| 5.7.44-log | 132,946 |
| 5.7.23-23 | 67,049 |
| 8.0.36 | 55,776 |
| 5.6.50-log | 24,947 |
| 5.1.73 | 12,030 |
7. Redis: Misconfiguration as a Path to Full Compromise
Port 6379 | Total EU Exposure: 61,718
Redis is a high-performance in-memory key-value store designed to run inside trusted networks. Of 61,718 total services, 41,258 are confirmed Redis instances.
8. MongoDB: Databases That Wiped Themselves and Left Notes
Port 27017 | Total EU Exposure: 60,534
MongoDB powers SaaS platforms, mobile backends, and analytics systems. Of 60,534 services, 47,945 are confirmed MongoDB instances.
9. Elasticsearch: The Data That Was Always Open
Port 9200 | Total EU Exposure: 42,314
Elasticsearch is used in logging platforms, SIEM systems, and observability stacks. Only 3,683 are confirmed Elastic instances.
| Product | Instances |
|---|---|
| nginx | 8,613 |
| Elastic | 3,683 |
| Prometheus Node Exporter | 557 |
| Elastichoney (honeypot) | 534 |
10. Kibana: The Window Into the Elastic Stack
Port 5601 | Total EU Exposure: 24,902
Kibana provides visualisation and management for Elasticsearch data. Only 9 fingerprint as confirmed Kibana.
11. VNC: Full Desktop Control, Internet-Facing
Port 5900 | Total EU Exposure: 69,622
VNC provides full graphical remote desktop access across platforms. Italy ranks 4th at 6,623 instances.
| Product | Instances |
|---|---|
| VNC (generic) | 20,302 |
| Apple Remote Desktop VNC | 8,582 |
| RealVNC Enterprise | 6,573 |
| SPICE | 218 |
12. Microsoft SQL Server: Enterprise Databases, Publicly Visible
Port 1433 | Total EU Exposure: 71,655
MSSQL powers ERP systems, healthcare platforms, and financial applications. Germany leads at 24,128.
| Product | Instances |
|---|---|
| nginx | 6,125 |
| MS-SQL Server 2019 RTM | 5,294 |
| MS-SQL Server 2022 RTM | 4,824 |
| MS-SQL Server 2014 | 4,532 |
| MS-SQL Server 2008 R2 | 2,199 |
13. Modbus: Industrial Controllers on the Public Internet
Port 502 | Total EU Exposure: 45,129
Modbus controls physical processes. It has no authentication, encryption, or integrity protection.
| Product | Instances |
|---|---|
| BMX P34 2020 | 386 |
| TM221CE40R | 165 |
| TM221CE40T | 153 |
| Modicon M340 | 4 |
14. Docker API: One Port, Full Host
Port 2375 | Total EU Exposure: 17,661
Port 2375 is the default port for the Docker Remote API over plain HTTP. Only 80 are confirmed Docker instances.
Cross-Protocol Patterns
Germany leads raw exposure across nearly every protocol in this report. The Netherlands and France consistently rank second and third. This reflects infrastructure concentration more than security posture.
Several services in this report can be fully compromised without any exploit. They require only network access and a default or absent configuration. Redis allows RCE via CONFIG and SAVE on unauthenticated instances. Docker API allows full host compromise via privileged container creation. MongoDB pre-3.x allowed full database access without credentials. Elasticsearch pre-6.8 allowed unauthenticated index access. Modbus has no authentication by design.
Recommendations for Defenders
Know What You Expose
Run your own Shodan queries against your registered IP ranges and ASNs before an attacker does. If Shodan can see a service, every automated scanner targeting the internet can see it too. What you find may be surprising. Shadow IT, forgotten test environments, infrastructure inherited through acquisitions, and cloud misconfiguration are common sources of unexpected exposure.
Prioritise by Consequence, Not by Volume
FTP has the highest raw numbers in this dataset but is not necessarily the most urgent remediation target for every organisation. An unauthenticated Redis instance or an exposed Docker API is a more immediate and higher-severity issue despite lower volume across the dataset as a whole. Prioritise based on what an attacker can do with access, not simply on how many services are exposed globally.
Segment Networks Aggressively
Databases, industrial controllers, analytics infrastructure, and internal services should never be reachable from the public internet. Private subnets, VLANs, and firewall allowlisting are not optional security controls. They are baseline architecture decisions that should be made before any service is deployed.
Treat Legacy Systems as Multiplied Risk
Windows XP on Telnet. MySQL 4.x. SQL Server 2008. Modbus PLCs with no authentication path forward. These systems cannot be patched into an acceptable security state. The only viable controls are isolation from internet access, active network monitoring, and planned replacement. Exposure combined with an unsupported software version creates compounded risk that cannot be addressed through configuration hardening alone.
Stop Relying on Obscurity
Non-standard ports do not provide meaningful protection in 2026. Shodan and similar tools scan all 65,535 TCP ports. Moving a service to a non-standard port reduces its appearance in protocol-specific searches but does not prevent discovery by tools that scan broadly. Reduced visibility in one tool does not mean reduced exposure. It means reduced awareness on your own part.
Monitor Continuously
Internet exposure is not a static state. New services are deployed. Firewall rules change. Container environments spin up and expose ports. Cloud configurations drift away from intended baselines. Continuous scanning of your own perimeter from the outside, using the same tools and techniques that attackers use, is the only reliable way to maintain an accurate picture of what you actually expose to the internet.
Conclusions
Across 14 protocols and all 27 EU member states, we identified approximately 2.85 million publicly reachable services carrying meaningful security context.
The exposure documented in this paper is not hidden. It is visible to anyone with a Shodan account and a list of IP ranges to query. That visibility is symmetric. It is available to security teams and attackers alike.
Exposed does not mean compromised. Best practices matter. A publicly reachable PostgreSQL instance with properly configured authentication, TLS enforcement, and tight access rules is a fundamentally different risk profile than one with trust authentication and no network controls. The exposure figures quantify the surface area. What lives behind each port determines the actual risk.
The question is not whether your infrastructure appears in data like this. The question is whether you know it does, and whether you have done enough to ensure that reachability alone is not sufficient for compromise.