Internet-Exposed Industrial Controllers — Shodan/Censys Scan Data

As of April 2026. The CyberAv3ngers used public scanning tools to find these devices.

Modbus TCP Devices

Port 502 · All vendors

78,700+

Includes Schneider, Wago, and other vendors. Not all are M580. Source: Shodan global scan.

Rockwell Automation

EtherNet/IP · Port 44818

6,000

~6,000

Primary target of CyberAv3ngers campaign. Confirmed in CISA AA26-097A advisory.

Siemens

S7comm · Port 102

4,800

~4,800

Widely reported Shodan figure for S7 protocol exposure.

ABB

Various protocols

N/A — Not separately enumerable via protocol scan

ABB controllers use standard protocols (Modbus, OPC UA) shared with other vendors. No unique protocol fingerprint for scanning.

Phoenix Contact

Various protocols

N/A — Not separately enumerable via protocol scan

Phoenix Contact PLCs lack a vendor-specific protocol signature. Counts are subsumed in Modbus TCP totals above.

78,700+ Modbus TCP devices exposed globally — includes Schneider, Wago, and other vendors. Not all are Schneider M580. The Modbus protocol carries no vendor identifier, so precise per-vendor breakdowns require banner analysis or secondary fingerprinting.

Exposure does not equal compromise. But every exposed device is a candidate for the attack chain shown above.