Windmill, NetBox, Zeppelin: the platforms you run the business on, facing the internet

Most of what runs a small company isn't the product. It's the layer underneath: the workflow runner that moves data between services, the low-code apps wired to the production database, the network inventory, the load balancer that fronts everything, the ERP that holds the invoices. Each one is a system of record or a control point, and each one ships with a web admin that's trivial to stand up on a public host "so the team can get to it." That's how they end up answering anonymous requests from anywhere on the internet.

The reason this class is worth its own look is that these aren't single-app consoles. A leaked CMS owns one site's posts. Windmill owns the secrets for every integration it touches. NetBox is a literal diagram of your internal network. HAProxy stats names every backend behind your edge. And Apache Zeppelin, the worst of them, runs shell and Spark on the host for anyone who loads the page, no login at all by default.

Start with that last one, because it's a different animal. Zeppelin notebooks execute code through interpreters, shell, Spark, JDBC, against whatever the host can reach. The default install allows anonymous access. So an exposed Zeppelin isn't a window into how you operate; it's a remote shell handed to whoever finds the URL. The scanner rates it critical, and that's not hedged.

What each one actually gives away

The shape is the same, an ops platform reachable without auth, but the prize differs by tool.

• Apache Zeppelin (/) - data notebooks whose interpreters run Spark, shell, and JDBC. That's code execution on the host, and the stock config allows anonymous use, so there may be no login between a stranger and a shell. Critical, and the standout on this list.
• Windmill (/) - a workflow and script runner. Its whole job is to hold the third-party API keys and database credentials its scripts need, so the secret store and the execution engine sit behind the same login. Get in and you read the secrets and run the workflows.
• Appsmith (/user/login) - a low-code app builder wired to your databases and APIs with stored connection credentials. Past the login you're one query from the data it connects to, same risk profile as the internal-tool builders.
• NetBox (/login/) - DCIM and IPAM, the source of truth for your network. It's the internal map: subnets, VLANs, device inventory, IP assignments, rack layouts. For an attacker that's a finished reconnaissance dossier, no guessing required.
• Frappe / ERPNext (/login) - the full business-app admin: ERP, CRM, HR, all on one database. Customers, invoices, payroll, suppliers. The business runs on this, and the login is the only gate in front of it.
• HAProxy stats (/haproxy?stats or /stats) - the load balancer's status page. It enumerates every frontend, backend, and server, with health and traffic. That hands over your edge topology, the names and state of the services behind it, for free.
• Nextcloud (/login) - file sync and share. The admin and the file store are reachable from the same place, so an exposed instance puts the documents and the user accounts within reach of a guessed password. Rated medium: serious, but a step short of code execution or the whole network map.

Why a map or a runner is worth as much as a database

Walk it through. HAProxy stats and NetBox don't ask for a password to leak their value, the stats page and, often, a misconfigured NetBox give up topology on a plain GET, and that topology tells an attacker exactly which internal service to aim at next. Windmill and Appsmith raise the stakes because they're built to hold credentials: their reason to exist is connecting to your databases and APIs, so a cracked login is a credential dump plus the ability to run code against your backend. ERPNext is the business itself in one schema. And Zeppelin skips the chain entirely, the interpreter runs whatever you type, on the host, with no login in the default config. The exposure arrives the same tired way each time: stood up on a public host for convenience, secured by a login nobody walled off, and forgotten.

Keep the platform layer off the public internet

The fix is the one that fits every operator-facing system: don't let the public reach it at all, then worry about the login behind that.

• Put each platform behind a VPN or an IP allowlist at the reverse proxy, so only the team can reach the login.
• For Zeppelin, turn off anonymous access and enable Shiro authentication immediately, an anonymous interpreter on the public internet is the single worst item here. Better still, keep it off the public internet entirely.
• Require SSO or two-factor on every login behind the wall, and never use shared accounts.
• Scope the stored credentials in Windmill and Appsmith to least privilege, so a cracked login can't reach more than its workflows strictly need.
• Disable the HAProxy stats page on public listeners, or bind it to localhost and reach it over an SSH tunnel.
• Keep all of them patched; ops platforms accrue critical CVEs precisely because they're high value.

Reading it from outside

Whether these platforms answer the public internet is something a stranger settles by loading the URL, which is exactly what SurfaceCheckr does, from outside, with no credentials. Each probe is gated on the product's own markup, Zeppelin's notebook shell, the HAProxy stats title, NetBox's login markers, Appsmith and Windmill's distinctive pages, so a hit confirms the real platform and doesn't fire on a generic login. It reads only what the page serves anonymously and stops; it never logs in, never runs a notebook, never queries a connected source. These are the systems you run the business on, easy to forget because they live in the back office, which is the reason to check them from the outside, where an attacker looks first. The neighboring reads are the internal tools and dashboards in the same spot and the database admin consoles that sit one layer down.