SMB Exposure Across the EU: A Service That Should Never Be Public
February 28, 2026
SMB (Server Message Block) is designed for file and printer sharing inside trusted networks. It was never meant to be exposed directly to the public internet.
Yet when we look at Shodan data across the 27 EU member states, we still see significant SMB exposure on port 445. From a security perspective, this is far more serious than FTP or Telnet.
Methodology
EU-27 country filter used:
AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE
Query used:
- SMB exposure (port 445 responding)
Note: Not every service running on port 445 is necessarily Microsoft SMB, but the vast majority are. This snapshot reflects external visibility, not full protocol validation of each host.
Total SMB Exposure in the EU
Total exposed SMB services: 210,306
| Country | SMB Services |
|---|---|
| Germany (DE) | 68,279 |
| France (FR) | 34,243 |
| Netherlands (NL) | 19,013 |
| Italy (IT) | 14,954 |
| Finland (FI) | 12,447 |
| Spain (ES) | 10,365 |
| Poland (PL) | 7,639 |
| Portugal (PT) | 6,164 |
| Sweden (SE) | 5,744 |
| Hungary (HU) | 5,372 |
| Czechia (CZ) | 4,962 |
| Romania (RO) | 3,582 |
| Lithuania (LT) | 2,762 |
| Bulgaria (BG) | 2,043 |
| Austria (AT) | 1,921 |
| Ireland (IE) | 1,653 |
| Greece (GR) | 1,389 |
| Latvia (LV) | 1,368 |
| Denmark (DK) | 1,326 |
| Belgium (BE) | 1,321 |
| Slovakia (SK) | 1,134 |
| Estonia (EE) | 813 |
| Croatia (HR) | 690 |
| Cyprus (CY) | 453 |
| Slovenia (SI) | 304 |
| Luxembourg (LU) | 210 |
| Malta (MT) | 155 |
Germany accounts for roughly one-third of all EU SMB exposure, mirroring infrastructure size patterns seen in previous protocol analyses.
What Systems Are Exposed?
The OS fingerprint data reveals a mix of modern and dangerously legacy systems.
| Operating System | Instances |
|---|---|
| Windows 6.1 (Windows 7 / Server 2008 R2 family) | 13,219 |
| Windows Server 2016 Standard (14393) | 9,747 |
| Unix | 7,644 |
| Windows Server 2012 R2 Standard | 7,341 |
| Windows Server 2016 Datacenter | 4,475 |
| Windows Server 2012 R2 Datacenter | 2,324 |
| Darwin (macOS) | 1,333 |
| Windows Server 2008 R2 SP1 | 1,087 |
| Windows Server 2019 Standard | 801 |
| Windows Server 2022 Standard | 548 |
The prominence of Windows 7 and Server 2008 R2 is a major red flag. If SMBv1 is enabled on these legacy systems, they are trivial targets for wormable exploits like EternalBlue.
Why SMB Exposure Is a Serious Issue
- Designed for Trust: SMB assumes an internal, trusted network. Exposing it to the WAN is a fundamental violation of security architecture.
- Authentication Abuse: Publicly reachable SMB ports enable NTLM relay attacks, credential harvesting, and high-speed brute-force attempts.
- Wormable Exploits: Historically, SMB has been the primary target for some of the most destructive malware in history (WannaCry, NotPetya).
- Direct Data Access: Successful exploitation or credential theft grants direct access to the file system and potentially the internal network.
Important Context and Limitations
This analysis is based entirely on Shodan data.
Shodan continuously scans internet facing services, but it does not have full visibility. Some hosts may block Shodan scanners. Others may not yet be indexed at the time of analysis.
These numbers represent observed exposure, not a complete census of all internet exposed SMB services. Remember that a service can be on another port and on this research we focused on the specific ports so thats why visibility is not 100% accurate.
It is reasonable to assume the real number is higher.
Additionally:
- Not every service on port 445 is guaranteed to be SMB
- OS fingerprinting may not always be exact
- Some systems may be honeypots or research deployments
Exposure does not automatically mean compromise.
But exposure combined with weak configuration significantly increases the likelihood of compromise.
Series Roadmap
Continue reading our protocol exposure research:
Previous in the series:
Final Thoughts
210,306 internet-exposed SMB services across the EU represents a significant and preventable attack surface. SMB is not a public-facing protocol and should remain strictly restricted to internal networks or accessed exclusively via VPN.
Seeing legacy Windows operating systems exposed directly on port 445 indicates a critical failure in perimeter security and patch hygiene that attackers will eventually exploit.