Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.

We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06 Data in shadowserver.org/what-we-do/n... Tree Map view: dashboard.shadowserver.org/statistics/c... Thank you to the KSA NCA for the heads up!

These reports help people defend the country against cyber attacks and also helps people fight scammer networks #CyberCivilDefense #take9

Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516) Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...

CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog. We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)

We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild. CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...

Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n... ~800K exposed

We are scanning & reporting out SmarterMail hosts vulnerable to CVE-2025-52691 RCE (CVSS 10). 8001 unique IPs likely vulnerable on 2026-01-12 (18783 exposed). Note Exploit PoCs are public. Tree Map: dashboard.shadowserver.org/statistics/c... Raw IP data: www.shadowserver.org/what-we-do/n...

We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...

Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API? We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash. Check it out at github.com/The-Shadowse...

We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!

React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology). IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n... Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...

Excited that our collaboration with VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier! We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.

Operation Endgame Season 3 Episode 2: Interlude released in time for Thanksgiving, recapping some of the #cybercrime disruption successes achieved so far, by partners working together internationally. Happy holidays - looking forward to future episodes!

We shared out 10,449 entries (e-mails) affected by the JSONFormatter and CodeBeautifier leak discovered by @watchTowr (see labs.watchtowr.com/stop-putting...). Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)

We have been sharing Monsta FTP CVE-2025-34299 (pre-auth RCE) vulnerable instances for the last few weeks. We still see over 780 IPs vulnerable (version based check) instances daily. Most affected: US & Slovakia: dashboard.shadowserver.org/statistics/c... dashboard.shadowserver.org/statistics/c...

Proud to once again support our LE partners in Operation Endgame Season 3 86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12 More details: shadowserver.org/news/rhadama...

"Don’t take BADCANDY from strangers ..." The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie... We still see around 15 000 Cisco IOS XE devices with the implant

We added CVE-2025-40778 BIND9 tagging (potential susceptibility to cache poisoning) to our DNS scans: www.shadowserver.org/what-we-do/n... We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...

Attention - Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable).

We are now sharing daily IP data on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 vulnerable instances, with over 71 000 seen on 2025-10-18. Data shared in our Vulnerable ISAKMP reportings - www.shadowserver.org/what-we-do/n... Top affected: US with 23.2K instances

Proud to support our Law Enforcement partners in another successful cybercrime disruption: Operation SIMCARTEL Great work everyone involved 👏 europol.europa.eu/media-press/...

Regarding F5 network compromise (see my.f5.com/manage/s/art...): We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5). ~269K IPs seen daily, nearly half in US. Geo breakdown: dashboard.shadowserver.org/statistics/i...

Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA IP data in www.shadowserver.org/what-we-do/n... World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...

You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c... Around ~45K vulnerable seen on 2025-10-04

Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH) It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!

FreePBX CVE-2025-57819 (CVSS 10.0) incidents: 6620 unpatched instances seen 2025-08-29, at least 386 compromised. Dashboard links: Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c... Compromised: dashboard.shadowserver.org/statistics/c...

Running unpatched Citrix NetScalers or seeing them in your constituency? Now is the time to get those checked for compromise and patched ...

We added a new daily scan report type, Accessible GPRS Tunneling Protocol (GTP) services listing IPs with publicly exposed GTP-C (Core) on port 2123/UDP & GTP-U (User) 2152/UDP. Report format: www.shadowserver.org/what-we-do/n... Dashboard World map: dashboard.shadowserver.org/statistics/c...

Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers, Linksys LRT series & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others. IP data on these scans shared in www.shadowserver.org/what-we-do/n...

We added version based N-able N-central RMM CVE-2025-8875 & CVE-2025-8876 detection to our daily scans. 1077 IPs unpatched IPs seen on 2025-08-15. Both CVEs recently added to US CISA KEV. Top affected: US, Canada, Netherlands, UK Dashboard map view: dashboard.shadowserver.org/statistics/c...

We added VMware ESXi CVE-2025-41236 (CVSS 9.3) version based detection to our daily scans. First added 2025-07-19 with 17,238 IPs found. Latest scan (2025-08-10) detects 16,330 unpatched IPs, which is a slow patch rate. Top affected: France, China, US, Germany

We added Microsoft Exchange CVE-2025-53786 detection to our daily scans (version based). See US CISA Emergency Directive 25-02: www.cisa.gov/news-events/... Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia Dashboard world map: dashboard.shadowserver.org/statistics/c...

We added version based SonicWall SMA100 CVE-2025-40596 detection to our daily scans - at least 3200 IPs seen still unpatched! Top affected: US, Japan, Germany Dashboard map: dashboard.shadowserver.org/statistics/c... NVD entry: nvd.nist.gov/vuln/detail/...

PaperCut CVE-2023-2533 was recently added to the CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03). dashboard.shadowserver.org/statistics/c... We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...

We’re excited to welcome SURFcert to the Shadowserver Alliance as a Bronze Tier Partner! Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all. Read more about SURFcert: www.surf.nl/en

SharePoint situational update: In collaboration with Validin & CERT-BUND we improved vhost & version based detection of SharePoint instances, resulting in ~17K IPs observed exposed. 840 with CVE-2025-53770 - version based detection only. At least 20 with webshells.

Emerging threats are countered most effectively when IR teams can share technical indicators to improve detection - helping identify, notify & remediate more victims. Great example: CVE-2025-25257 & FortiWeb shells. Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!

Alert! We are scanning for unpatched CrushFTP instances vulnerable to CVE-2025-54309. This vulnerability is exploited in the wild: www.crushftp.com/crush11wiki/... We see 1040 instances unpatched on 20th July. Top countries affected: US, Germany, Canada dashboard.shadowserver.org/statistics/c...

Alert: SharePoint CVE-2025-53770 incidents! In collaboration with Eye Security & watchTowr we are notifying compromised parties. See: research.eye.security/sharepoint-u... ~9300 Sharepoint IPs seen exposed daily (population, no vulnerability assessment): dashboard.shadowserver.org/statistics/i...

We are sharing Fortinet FortiWeb instances compromised with webshells likely via CVE-2025-25257. We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th. Tree map overview (compromised): dashboard.shadowserver.org/statistics/c...

Since start of July we are seeing Wing FTP Server CVE-2025-47812 RCE exploitation attempts. We are fingerprinting exposed Wing FTP Server instances to establish the potentially vulnerable population. We see ~2000 exposed (no vulnerability checks): dashboard.shadowserver.org/statistics/i...

Live Flax Typhoon Raptor Train botnet sinkholing data now available through our free daily Sinkhole Event and Sinkhole HTTP Event network reports: shadowserver.org/what-we-do/n... shadowserver.org/what-we-do/n... events tagged as "raptor-train" Remediate current infections!

New Special Report run in collaboration with LE partners on historical Flax Typhoon Raptor Train botnet infections: shadowserver.org/what-we-do/n... Filename prefix: 2025-07-07-special 732545 events, 179539 IPs, 2750 ASNs, 143 countries Check your reports for historical compromises

We are scanning for Citrix NetScaler CVE-2025-5777 (since 19/06) & CVE-2025-6543 (since 27/06) vulnerabilities. 1289 & 2100 IPs still seen unpatched as of 2025-06-29. Top: US & DE Tracker: dashboard.shadowserver.org/statistics/c...

Shadowserver, a member of the Common Good Cyber secretariat, is proud to help launch the Common Good Cyber Fund announced today. Special thanks to the UK and Canada for investing in the Fund and continuing to provide their steadfast support. commongoodcyber.org/news/common-...

We are happy to support our LE partners! www.justice.gov/usao-edva/pr...

We have shared a Special Report on IPs infected with Latrodectus malware during 2025-04-26 to 2025-05-20. This is one of the results of the continued international Law Enforcement action called Operation Endgame Season 2.0 Over 44K infected IPs seen: dashboard.shadowserver.org/statistics/c...

You can also track CVE-2025-4427 exploitation attempts as seen by our honeypot sensors on our Dashboard: dashboard.shadowserver.org/statistics/h...

We are also scanning for Ivanti EPMM instances likely vulnerable (unpatched) to CVE-2025-4427 which can be chained with CVE-2025-4428 for RCE. First scans found 940 instances (2025-05-15), down to 798 (2025-05-18). Geo breakdown: dashboard.shadowserver.org/statistics/c...