You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c... Around ~45K vulnerable seen on 2025-10-04

Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH) It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!

FreePBX CVE-2025-57819 (CVSS 10.0) incidents: 6620 unpatched instances seen 2025-08-29, at least 386 compromised. Dashboard links: Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c... Compromised: dashboard.shadowserver.org/statistics/c...

Running unpatched Citrix NetScalers or seeing them in your constituency? Now is the time to get those checked for compromise and patched ...

We added a new daily scan report type, Accessible GPRS Tunneling Protocol (GTP) services listing IPs with publicly exposed GTP-C (Core) on port 2123/UDP & GTP-U (User) 2152/UDP. Report format: www.shadowserver.org/what-we-do/n... Dashboard World map: dashboard.shadowserver.org/statistics/c...

Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers, Linksys LRT series & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others. IP data on these scans shared in www.shadowserver.org/what-we-do/n...

We added version based N-able N-central RMM CVE-2025-8875 & CVE-2025-8876 detection to our daily scans. 1077 IPs unpatched IPs seen on 2025-08-15. Both CVEs recently added to US CISA KEV. Top affected: US, Canada, Netherlands, UK Dashboard map view: dashboard.shadowserver.org/statistics/c...

We added VMware ESXi CVE-2025-41236 (CVSS 9.3) version based detection to our daily scans. First added 2025-07-19 with 17,238 IPs found. Latest scan (2025-08-10) detects 16,330 unpatched IPs, which is a slow patch rate. Top affected: France, China, US, Germany

We added Microsoft Exchange CVE-2025-53786 detection to our daily scans (version based). See US CISA Emergency Directive 25-02: www.cisa.gov/news-events/... Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia Dashboard world map: dashboard.shadowserver.org/statistics/c...

We added version based SonicWall SMA100 CVE-2025-40596 detection to our daily scans - at least 3200 IPs seen still unpatched! Top affected: US, Japan, Germany Dashboard map: dashboard.shadowserver.org/statistics/c... NVD entry: nvd.nist.gov/vuln/detail/...

PaperCut CVE-2023-2533 was recently added to the CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03). dashboard.shadowserver.org/statistics/c... We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...

We’re excited to welcome SURFcert to the Shadowserver Alliance as a Bronze Tier Partner! Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all. Read more about SURFcert: www.surf.nl/en

SharePoint situational update: In collaboration with Validin & CERT-BUND we improved vhost & version based detection of SharePoint instances, resulting in ~17K IPs observed exposed. 840 with CVE-2025-53770 - version based detection only. At least 20 with webshells.

Emerging threats are countered most effectively when IR teams can share technical indicators to improve detection - helping identify, notify & remediate more victims. Great example: CVE-2025-25257 & FortiWeb shells. Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!

Alert! We are scanning for unpatched CrushFTP instances vulnerable to CVE-2025-54309. This vulnerability is exploited in the wild: www.crushftp.com/crush11wiki/... We see 1040 instances unpatched on 20th July. Top countries affected: US, Germany, Canada dashboard.shadowserver.org/statistics/c...

Alert: SharePoint CVE-2025-53770 incidents! In collaboration with Eye Security & watchTowr we are notifying compromised parties. See: research.eye.security/sharepoint-u... ~9300 Sharepoint IPs seen exposed daily (population, no vulnerability assessment): dashboard.shadowserver.org/statistics/i...

We are sharing Fortinet FortiWeb instances compromised with webshells likely via CVE-2025-25257. We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th. Tree map overview (compromised): dashboard.shadowserver.org/statistics/c...

Since start of July we are seeing Wing FTP Server CVE-2025-47812 RCE exploitation attempts. We are fingerprinting exposed Wing FTP Server instances to establish the potentially vulnerable population. We see ~2000 exposed (no vulnerability checks): dashboard.shadowserver.org/statistics/i...

Live Flax Typhoon Raptor Train botnet sinkholing data now available through our free daily Sinkhole Event and Sinkhole HTTP Event network reports: shadowserver.org/what-we-do/n... shadowserver.org/what-we-do/n... events tagged as "raptor-train" Remediate current infections!

New Special Report run in collaboration with LE partners on historical Flax Typhoon Raptor Train botnet infections: shadowserver.org/what-we-do/n... Filename prefix: 2025-07-07-special 732545 events, 179539 IPs, 2750 ASNs, 143 countries Check your reports for historical compromises

We are scanning for Citrix NetScaler CVE-2025-5777 (since 19/06) & CVE-2025-6543 (since 27/06) vulnerabilities. 1289 & 2100 IPs still seen unpatched as of 2025-06-29. Top: US & DE Tracker: dashboard.shadowserver.org/statistics/c...

Shadowserver, a member of the Common Good Cyber secretariat, is proud to help launch the Common Good Cyber Fund announced today. Special thanks to the UK and Canada for investing in the Fund and continuing to provide their steadfast support. commongoodcyber.org/news/common-...

We are happy to support our LE partners! www.justice.gov/usao-edva/pr...

We have shared a Special Report on IPs infected with Latrodectus malware during 2025-04-26 to 2025-05-20. This is one of the results of the continued international Law Enforcement action called Operation Endgame Season 2.0 Over 44K infected IPs seen: dashboard.shadowserver.org/statistics/c...

You can also track CVE-2025-4427 exploitation attempts as seen by our honeypot sensors on our Dashboard: dashboard.shadowserver.org/statistics/h...

We are also scanning for Ivanti EPMM instances likely vulnerable (unpatched) to CVE-2025-4427 which can be chained with CVE-2025-4428 for RCE. First scans found 940 instances (2025-05-15), down to 798 (2025-05-18). Geo breakdown: dashboard.shadowserver.org/statistics/c...

We’re excited to announce that CERT.LV (National CSIRT of Latvia) has joined the Shadowserver Alliance as a Bronze Tier Partner! Together we will raise the bar on cybersecurity. Read more about CERT.LV: cert.lv/en/ Become a Shadowserver Alliance partner today: www.shadowserver.org/partner/

We are sharing ScreenConnect instances likely vulnerable to CVE-2025-3935 (CVSS 8.1, versions 25.2.3 & earlier may be susceptible to a ViewState code injection). Patch info: connectwise.com/company/trus... 685 instances still unpatched (2025-05-07): dashboard.shadowserver.org/statistics/c...

The dashboard has been built thanks to UK FCDO funding (www.gov.uk/government/o...) and holds 2 years worth of aggregated Shadowserver data for all to explore!

We’re excited to announce that Identity Digital has joined the Shadowserver Alliance as a Bronze Tier Partner! Together we will work to make the Internet safer and more secure. Read more about Identity Digital: www.identity.digital/company

Attention! We are sharing SAP NetWeaver instances vulnerable to CVE-2025-31324 unauth upload (CVSS 10.0). 454 IPs found vulnerable on 2025-04-26. If you receive an alert from us, make sure to check for signs of compromise (incl. webshells). World Map: dashboard.shadowserver.org/statistics/c...

We are sharing SysAid instances likely vulnerable to CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (XXEs) any of which combined with CVE-2025-2778 allows for RCE. 77 IPs found unpatched so far (version check). Install updates from SysAid (from March!) documentation.sysaid.com/docs/24-40-60

Check out our latest Dashboard updates that now highlight compromised devices & post-exploitation frameworks/C2s discovered in scans, as well as various functionality improvements: dashboard.shadowserver.org#compromised-... dashboard.shadowserver.org#post-exploit...

Attention! Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices: fortinet.com/blog/psirt-b... Data available from 2025-04-11+ shadowserver.org/what-we-do/n...

We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on host"). Nearly 41.5K found vulnerable on 2025-03-04.

We are scanning for & reporting Nakivo Backup & Replication CVE-2024-48248 (arbitrary file read) vulnerable instances in our Vulnerable HTTP report: www.shadowserver.org/what-we-do/n.... ~208 vulnerable instances seen 2025-02-26 Dashboard map view: dashboard.shadowserver.org/statistics/c...

We started scanning & reporting out Ivanti Connect Secure CVE-2025-22467 vulnerable (unpatched) instances in our daily feeds. ~2850 IP seen unpatched worldwide in our daily scans. Top affected: US (852) & Japan (384) Dashboard world map view: dashboard.shadowserver.org/statistics/c...

Not only new vulnerabilities are exploited in the wild. At the start of Feb, the US CISA added CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability (CVSS 9.8) to its KEV list (www.cisa.gov/known-exploi...). We scan/report vulnerable IPs daily, with 2149 found 2025-02-15.

@shadowserver.bsky.social runs tools that help both fight cybercrime and protect the country. They run Internet wide scans and honeypots looking for problems both before they happen, and, also during attacks. #CyberCivilDefense #take9

Excited to publish our 2024 Highlights of the Year in Review, covering improvements to public benefit services, response to emerging threats/vulnerabilities, reporting to nCSIRTs & system defenders globally, LE support & cyber capacity building efforts www.shadowserver.org/news/shadows...

Many Palo Alto CVE-2025-0108 attempts seen since 4 am UTC 2024-02-13 in our honeypots, with 19 source IPs seen attempting the use of a recent PoC published for this vulnerability (with a few creative exceptions) Patch info: security.paloaltonetworks.com/CVE-2025-0108

We are excited to welcome CERT Orange Polska as a new Shadowserver Alliance partner (Bronze tier)! We look forward to raising the bar on cybersecurity together. Read more about CERT Orange Polska: cert.orange.pl Become a Shadowserver Alliance partner today: shadowserver.org/partner/

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs. Includes: - Tenda CVE-2024-41473 - Draytek CVE-2024-12987 - HuangDou UTCMS V9 CVE-2024-9916 - Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329 - (likely) Four-Faith CVE-2024-9644

We are excited to welcome Public Interest Registry (PIR) as a new Shadowserver Alliance partner (Bronze tier). We look forward to raising the bar on cybersecurity together! Read more about PIR: pir.org Become a Shadowserver Alliance partner today: shadowserver.org/partner/

Since 2025-02-05 we are reporting daily GFI Kerio Control firewall instances vulnerable to CVE-2024-52875 which can (possibly) be leveraged for RCE. Data shared in www.shadowserver.org/what-we-do/n... 12,229 unpatched instances on 2025-02-09 worldwide: dashboard.shadowserver.org/statistics/c...

Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil. Source IPs shared in shadowserver.org/what-we-do/n...

Added 4in6 & 6in4 scans to our Open IP-Tunnel reporting (hosts that accepted unauthenticated packets from an arbitrary source, which can be abused for DoS/other attacks) www.shadowserver.org/what-we-do/n... ~150K 4in6 open tunnels found (most in Germany) ~1.07M 6in4 open tunnels found

For the last few days we are sharing SimpleHelp CVE-2024-57727 (path traversal vulnerability) instances in our Vulnerable HTTP report: shadowserver.org/what-we-do/n... For patch info please see simple-help.com/kb---securit... Around found 580 vulnerable dashboard.shadowserver.org/statistics/c...

We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity). 379 new backdoored instances found on 2025-01-22: dashboard.shadowserver.org/statistics/c...

We are sharing daily results of Fortinet CVE-2024-55591 (auth bypass) vulnerable instances in our Vulnerable HTTP report - shadowserver.org/what-we-do/n... CVE-2024-55591 is known to be exploited in the wild. Around 50K found vulnerable: dashboard.shadowserver.org/statistics/c...