We Scanned 5,700 [Solana, Eth, Sui, Atom] Validators. Here's What We Found.
April 14, 2026 - NullRabbit Scan Report
Over the past six weeks, NullRabbit scanned 5,715 validator hosts across Solana and Sui - 99.7% and 99.3% of each network's tracked fleet respectively. The initial sweep covered the full fleet. After that, Slashr - our free validator incident tracker - triggered live rescans automatically whenever a validator had an incident: delinquency, slashing, missed votes. Between the two, we ran 10,139 completed scans, tracked 207,962 port change events, and identified 1,340 CVE findings across 155 hosts.
This is what the validator attack surface actually looks like.
The headline number: 127 validators vulnerable to regreSSHion
CVE-2024-6387 - a race condition remote code execution in OpenSSH - affects 127 validator hosts across both networks. The EPSS score is 0.47, meaning there's roughly a 47% probability of active exploitation in the wild. This isn't theoretical. It's the most widely distributed high-severity vulnerability in the dataset.
The affected hosts split across two OpenSSH versions: the 9.6 majority (109 hosts, 5 CVEs, max CVSS 8.1) and a neglected 8.9 tail (37 hosts, 9 CVEs, max CVSS 9.8). That second group carries two critical-severity vulnerabilities - CVE-2023-38408 and CVE-2023-28531 - both scoring 9.8 CVSS with known exploitation paths.
41 validators are running OpenSSH 8.9 with all three of these CVEs simultaneously. They're concentrated in four subnets, likely operated by two or three entities.
Solana is messier than Sui
The two networks have very different security postures.
Sui validators present a tight, uniform profile. 96% expose only the expected blockchain ports (8080/8081). 39% have SSH open. Almost nothing else. The fleet looks like it was provisioned from a template, and that's a good thing.
Solana is the opposite. 57% expose SSH. 25% expose HTTP. And then it gets interesting:
- 27 validators have PostgreSQL (5432) publicly reachable
- 82 have SMTP (25) open - on a validator
- 6 expose RDP (3389) - unusual on what should be Linux infrastructure
- 4 have FTP (21) open
- 5 expose SMB (445)
One Solana validator has seven ports open including SSH, HTTP, HTTPS, Grafana, MySQL, PostgreSQL, and an unidentified service on port 8888. That's either a multi-purpose host doubling as a validator, or a machine that nobody's reviewed the firewall rules on in a long time.
Coordinated infrastructure tells a story
Port change data isn't just about what's open. The timing reveals who's operating together.
Batch deployment: single /24 subnet
On April 8-9, ten Solana validators appeared in a single /24 subnet. Each machine opened SSH and port 8000 simultaneously, spaced exactly three minutes apart - consistent with automated deployment rolling through a rack. Six on April 8, three on April 9, one straggler on April 13. All running OpenSSH 9.6 with 5 CVEs. This looks like a hosting provider adding Solana capacity. Not a threat, but worth tracking for patch compliance.
Coordinated SSH + SMTP opening: April 11
More concerning: on April 11, five validators across two adjacent subnets simultaneously opened both SSH and SMTP within a 35-minute window. All five run OpenSSH 8.9 with three critical CVEs each. The subnets appear to be Eastern European hosting ranges operated by the same entity.
Opening SMTP on a validator is unusual. The 35-minute window across two subnets suggests manual or semi-automated maintenance, not hardened automation. Combined with the critical CVEs and stale patch levels, this cluster is the highest-risk group in the dataset.
The Redis finding
One Sui validator has the widest attack surface in the Sui network: 10 open ports including the expected blockchain services, plus Redis (6379), Grafana, Prometheus, and Node Exporter.
We probed Redis on April 14. It responds but requires authentication - so it's not the worst case of unauthenticated access. But Redis is publicly reachable when it should be firewalled, uses a single plaintext password by default with no TLS, and is feasibly brute-forced if the password is weak. This is the kind of exposure that's fine until it isn't.
Patching velocity: two tiers
SSH banner tracking reveals a clear split in operational maturity.
The well-maintained majority (~70% of the fleet) runs Ubuntu 24.04 with OpenSSH 9.6 and is keeping pace with security updates. We're seeing 8-18 hosts per day rolling from patch level .14 to .15.
The neglected tail (~40 hosts) runs Ubuntu 22.04 with OpenSSH 8.9 and is stuck. On April 11, 16 hosts were still showing banners four patch levels behind current. These are the same hosts carrying the triple-critical CVE combination. The operators maintaining these machines are significantly behind, and the CVE exposure reflects it.
Port flapping: instability signals
Some hosts show repeated open/close cycles on the same port - a signal of service instability or intermittent connectivity:
- One Sui validator (operated by Chorus One): Sui JSON-RPC port 8081 flapped three times between March 3-24
- One Solana validator: gossip ports 8899/8900 flapping between April 2-13 - combined with OpenSSH 8.9 and three critical CVEs, this is one of the most concerning hosts in the dataset
What this means
Validator infrastructure security isn't evenly distributed. The majority of the fleet is reasonably maintained - patching happens, profiles are clean, attack surfaces are small. But there's a long tail of validators with exposed databases, stale SSH versions, critical unpatched vulnerabilities, and services that have no business being publicly reachable.
Delegators staking with these validators have no visibility into this. The validator might have 99.9% uptime and competitive commission - but if PostgreSQL is exposed on port 5432 with a weak password, uptime is the wrong metric.
We publish scan results on every validator's detail page at slashr.dev. Check your validators at slashr.dev/check.
Slashr tracks validator incidents across Solana, Ethereum, Sui, and Cosmos. When a validator goes down, we trigger a live infrastructure scan via NullRabbit and publish the diagnosis. All data is free and public.
Built by @NullRabbitLabs and @SlashrDev
Related Posts
Slashr: Real-Time Validator Incident Tracking Across Four Networks
Slashr tracks validator delinquency, jailing, slashing, and missed votes across Solana, Ethereum, Sui, and Cosmos in real time. Wallet checks, rankings, automated scanning, and reliability reports -- all from on-chain data.
Connecting Slashr to Your AI Workflow via MCP
Slashr now has a Model Context Protocol server. Any MCP-compatible AI tool -- Claude Code, Claude Desktop, or custom agents -- can query live validator incident data, scan results, and network summaries directly.
DeFi Under the Microscope: 1,075 Hosts, 3,001 Ports, One Timing Scan
A first look at what DeFi validator infrastructure looks like at the kernel level. We crack open the consolidated dataset -- embedding galaxies, jitter fingerprints, RTT ridgelines, and 10,000 anomaly events across 642 silent hosts.