# 40% of Sui Validators Exposed *Why Sui’s Poor Hygiene Puts Consensus, and User Assets, at Risk* By [PGDN Network News](https://paragraph.com/@pgdn) · 2025-09-04 sui, sui-network, validators, blockchain, security, cve, ssh, opsec, defi, depin, pgdn, bug-bounty --- In August 2025, PGDN conducted an external scan of the Sui validator network. What we found was systemic: nearly **40% of the network’s voting power is exposed** to public security risks, threatening the network’s ability to stay live. In a proof-of-stake network like Sui, consensus halts if roughly 33.3% of the voting power is disrupted. Our analysis showed that **3,955 voting power (~39.6%) was exposed** - leaving a dangerously thin margin of only 621 voting power before a network-wide halt could occur. > A single, well-timed exploit could mean the loss of billions of dollars in assets. End game for Sui. We have never seen this many production servers in a single network exposing SSH and default web pages. If we noticed, attackers almost certainly have too. * * * Key Findings ------------ * **39.6% voting power** externally exposed via SSH and/or CVEs * **28%** of validators running services with known CVEs * Some are patched Ubuntu builds with back-ported fixes * This figure is a **conservative upper bound** * **~99%** responding on port 2375/tcp (Docker-TCP) * SYN/ACK observed across most validators * Protocol unconfirmed → classified **LOW confidence**, excluded from exploitability math * **Default Apache landing pages** observed on many validators, some with **critical CVEs**, mistakenly described as “RPC endpoints”. **Seriously, WTF Sui?!** * **Simulated attack scenario** showed that a coordinated exploitation could cause a total network blackout. Full dataset, methods, simulated attack etc are in the [GitHub repo](https://github.com/pgdn-network/sui-network-report-250819). * * * Why Hygiene and OPSEC Are Critical ---------------------------------- Mysten Labs responded to our disclosure by framing these issues as “security hygiene, not exploitable vulnerabilities.” That framing misses the point entirely. Hygiene issues are the very foundation of successful cyberattacks. * **Version fingerprinting**: Public banners reveal the exact versions of software like OpenSSH and Ubuntu. Even if patched today, attackers can filter on these versions and launch an attack the moment a new CVE is released. * **Default web servers**: Many validators are serving stock Apache pages, not RPC endpoints. These pages leak headers, advertise CVEs, and are a clear sign of misconfiguration. * **SSH exposure**: SSH is one of the most abused management surfaces in history. Brute-force attacks, credential stuffing, or a future zero-day can all exploit this open port. * **Unexplained port 2375**: Despite being consistently observed as open on nearly every validator, Mysten Labs denied its existence. This widespread, undocumented exposure is a significant concern. **Calling a CVE-affected Apache service an “intentional RPC” or denying open ports that are visible to anyone is not security. It is dismissal.** Disclosure and Response ----------------------- We provided Mysten Labs with a report and access to a private GitHub repository, outlining our findings and a simulated attack scenario. * **Aug 18, 2025:** Formal disclosure email sent to Mysten Labs * **Aug 21, 2025:** Mysten Labs requested GitHub access, dataset shared * **Aug 22, 2025:** Mysten Labs responded, calling the issues “hygiene, not vulnerabilities,” stating that ports 80/443 were “as intended,” and claiming port 2375 was not open * **Aug 26, 2025:** Mysten Labs stated they do not manage independent validators and could only “pass along general messages” to encourage better practices Mysten Labs confirmed their two validators were patched but did not dispute our findings on version fingerprinting. **They offered no remediation plan or guidance for independent validators.** Why This Matters ---------------- This isn’t about a single zero-day. It’s about **systemic exposure** across a decentralized network where halting consensus requires only one-third of voting power. Without a minimum security baseline for validators, Sui - and any network like it - is one unpatched CVE away from the loss of all user funds. Of note, our initial scans of Aptos were, clean as a whistle. Get your act together Sui. **Hygiene is not cosmetic. It is the difference between resilience and outage. While all the networks focus on internal audits, the outside is exposed.** About PGDN ---------- PGDN measures the **outside-in posture** of decentralized infrastructure — validators, RPCs, bridges, sequencers, oracles and more. We publish anonymized scores, reproducible methods, and remediation guidance to help operators and foundations harden their networks before attackers force the issue. * Website: [pgdn.ai](https://pgdn.ai) * GitHub: [github.com/pgdn-ai](https://github.com/pgdn-network/sui-network-report-250819) * X: [https://x.com/pgdnai](https://x.com/pgdnai) * Contact: Simon Morley (sm@pgdn.ai) * * * _Licensing: CC BY-NC-ND 4.0 — journalists may quote with attribution to PGDN; commercial reuse and derivative datasets prohibited._ --- *Originally published on [PGDN Network News](https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed)*