The 10 most common CRITICAL findings across 5 200 scans

We exported every CRITICAL finding from our production database, grouped by slug, ranked by frequency. The top 10 below cover >95% of all critical-grade findings we've ever emitted. If you're doing a security audit and don't know where to start, start here.

1. dns.ip_on_reputation_list (1 500 hits)

The apex IP appears on at least one reputation feed (AbuseIPDB high-confidence list, Spamhaus DROP, Barracuda, SpamCop). Means the address has been observed sending spam, scanning, or hosting malware in the recent past — sometimes by a previous tenant of the same IP.

Fix. Investigate via the AbuseIPDB / Spamhaus public lookup. If the listing is from a previous tenant, contact the feed for delisting. If it's your traffic, audit outbound (botnet on a compromised box, mail forwarding loop, etc.). For VPS users: your provider's IP pool quality matters — cheap ones recycle IPs from spam farms.

2. tls.legacy_protocol_enabled (1 058 hits)

TLS 1.0 or 1.1 still negotiable on port 443. We've written a long article on why this is everywhere. Short fix:

# nginx
ssl_protocols TLSv1.2 TLSv1.3;
# Apache
SSLProtocol -all +TLSv1.2 +TLSv1.3

3. web.shodan_cve_exposure (127 hits)

Shodan's InternetDB reports one or more known CVEs on the IP serving your domain. Common causes: unpatched nginx / Apache version, exposed admin endpoints, ssh on port 22 with outdated OpenSSH.

Fix. Read the CVE list in the finding's evidence, patch the affected software, restrict admin surfaces to internal networks. Re-scan after patching to confirm Shodan refreshes its index (usually within 24-48h).

4. tls.weak_cipher_suite (19 hits)

3DES, RC4, NULL, EXPORT or anonymous Diffie-Hellman cipher available in the negotiated suite list. Modern browsers reject these but a non-browser client (cron job, IoT device) might fall back. PCI-DSS 4.0 forbids all of them.

# Same fix as TLS legacy: explicit modern cipher list
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305;

5-8. The leak family

Four findings, same theme: a sensitive file accidentally served at an HTTP path. We probe 27 candidates including .env, .env.local, wp-config.php.bak, backup.sql, dump.sql, .git/HEAD, .svn/entries. Each match is a CRITICAL because the content is by definition sensitive (DB dumps, credentials, source).

Fix. Don't store secrets in your document root. Add explicit deny rules:

# nginx
location ~ /\. { deny all; return 404; }
location ~ \.(bak|sql|env|swp|tar\.gz)$ { deny all; return 404; }
# Apache
<FilesMatch "(\.env|\.git|\.svn|\.bak|\.sql|\.tar\.gz)$">
    Require all denied
</FilesMatch>

Six hits each is small but every one of them is a "your DB is leaked" event. Don't read the count as "rare" — read it as "if it matches you, it's a P0".

9. web.api.actuator_heapdump (2 hits)

Spring Boot's /actuator/heapdump reachable to anyone. The endpoint dumps the JVM heap as a binary file — it contains every credential, session token, request body and environment variable in process memory at dump time. Two hits is two too many.

Fix. management.endpoints.web.exposure.include=info,health (or even less) in your Spring config. Better: bind the actuator port to localhost only. See our deep-dive on Spring Boot leaks.

10. tls.ssllabs.grade (2 hits)

Opt-in finding (only emitted when the user requested include_ssllabs: true). Reflects an SSL Labs grade of D or F via their assessment API. Rare because it's opt-in; when it fires the underlying TLS issue is almost always also flagged by our own checkers and gets remediated through them.

What's missing from this list

Active checkers (CVE probes for Apache path traversal, Spring4Shell, etc.) only run under the Active profile, which itself only triggers under triple-gate (ownership + ack_active_probes). They contribute findings to the database but rarely fire as CRITICAL because the gating means the user is informed in advance.

The pareto principle holds

Two findings — IP reputation listing and TLS 1.0/1.1 — account for >95% of all CRITICAL volume. If you address those two on every domain you operate, you've eliminated almost all of your audit-failing footprint. The other eight are tail items that matter when they hit you, but they're rare.