mastodon
4.6.0-alpha.7+glitch
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We’re excited to announce that the Canadian Centre for Cyber Security (CCCS) has increased its annual Shadowserver Alliance Partnership tier from Gold to Diamond! Thank you CCCS for your generous support and for being a valuable and trusted partner in making the Internet more secure.
Become an Alliance Partner today: https://www.shadowserver.org/partner/
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We fingerprint about 2000 instances globally, see public Dashboard: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=30&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on
Top affected: US & Germany https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&data_set=count&scale=log&auto_update=on
Raw IP data shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
If you receive data from us on exposed instances, check for compromise & patch!
Patch info:
CVE-2026-35616 (0day reported by Defused Cyber): https://fortiguard.fortinet.com/psirt/FG-IR-26-099
CVE-2026-21643: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We added Progress ShareFile fingerprinting to our scans & reports with 784 unique IPs seen exposed on 2026-04-02. watchTowr recently disclosed details behind an RCE CVE-2026-2699 & CVE-2026-2701 exploit chain affecting ShareFile. Make sure to apply the latest patch!
Raw IP data in Device ID reports, with device_vendor set to Progress & device_model to ShareFile: https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
Thank you to Validin for the collaboration!
Dashboard World Map view: https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on
Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on
Top affected: US, Germany
Note: we are just sharing the exposed population, there is no vulnerability assessment
Patch: https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26
CVE-2026-2699 NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-2699
CVE-2026-2701 NVD entry:
https://nvd.nist.gov/vuln/detail/CVE-2026-2701
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE (see: https://my.f5.com/manage/s/article/K000156741) & added to US CISA KEV (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521)
We are fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.
IP data is shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/ with device_vendor set to 'F5', device_model set to 'BIG-IP APM'
Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on
Dashboard World Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on
Top affected: US, Japan
If you have APM running on your services/network make sure you are patched & review for any compromise
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We’re excited to welcome KPN to the Shadowserver Alliance as a bronze tier partner!
KPN is a leading telecommunications and IT provider in the Netherlands. https://www.kpn.com/algemeen/english
Together we will raise the bar on cybersecurity to make the Internet more secure.
Become a Shadowserver Alliance partner today:
https://www.shadowserver.org/partner
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports.
Raw IP data shared in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ filtered by recipient network/constituency
Top countries running outdated IIS instances: China & USA
EOL IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eol-iis%2B&data_set=count&scale=log&auto_update=on
EOS (beyond ESU) IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eos-iis%2B&data_set=count&scale=log&auto_update=on
More on associated risks & on reducing attack surface from EOL devices from US CISA https://www.cisa.gov/resources-tools/resources/reducing-attack-surface-end-support-edge-devices
MS IIS lifecycle: https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis
MS Extended Security Update program (ESU) https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US.
Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
CVE-2026-20963 is known exploited in the wild and on US CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963
Check for compromise.
Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963
CVE-2026-20963 Dashboard Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption:
shadowserver.org/news/tycoon-...
New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)
https://www.shadowserver.org/what-we-do/network-reporting/info-tycoon-2fa-domains-special-report/
Operation successfully coordinated by Europol, via EC3 Cyber Intelligence Extension Programme (CIEP). Civil legal action by Microsoft DCU
Millions of phishing emails, 96K victims globally
Key domains seized/sinkholed/suspended, thousands of criminal users potentially impacted
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-68613%2B&tag=cve-2025-68668%2B&tag=cve-2026-21858%2B&tag=cve-2026-21877%2B&tag=cve-2026-25053%2B&tag=cve-2026-25056%2B&tag=cve-2026-27495%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=overlap&auto_update=on
Top affected: US, Germany & France.
IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting - https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
Latest n8n critical RCE vulns (all covered with above tag):
https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
If you receive an alert from us, please patch.
World Map view of all n8n vulnerable instances we track: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=n8n%2B&data_set=count&scale=log&auto_update=on
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check).
Patch info: https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9
IP data in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-14500%2B&data_set=count&scale=log&auto_update=on
If you receive an alert from us, please update!
NVD entry: https://nvd.nist.gov/vuln/detail/cve-2025-14500
Background: https://www.zerodayinitiative.com/advisories/ZDI-25-1072/
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Cisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
We see over 5.5K Cisco SD-WAN IPs (control plane) (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&model=cisco+sd-wan+%28peering%29&data_set=count&scale=log), & over 270 management interfaces (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&type=device-management&model=cisco+sd-wan&data_set=count&scale=log)
We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/
Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).
Background: https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans
https://blog.talosintelligence.com/uat-8616-sd-wan/
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Thanks to collaboration with the Canadian Centre for Cyber Security we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised.
Dashboard Victim overview (Tree map) https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&data_set=count&scale=log&auto_update=on
IP data in our Compromised Website report, tagged 'freepbx-compromised' - https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/
Compromised FreePBX tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
These compromises are likely via CVE-2025-64328
Additional background from Fortinet: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Running End-of-Life devices or apps is a major security risk. The US CISA has recently released a Directive on the topic: https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
Over 57.5K IPs seen tagged with 'eol' in our exposed web service reporting alone! IP data shared for example in
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/
Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=eol%2B&data_set=count&scale=log&auto_update=on
Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=eol%2B&data_set=count&scale=log&auto_update=on
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We have started to report webshells (or other exploitation artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06
Data in https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/
Thank you to the KSA NCA for the heads up!
If you receive an alert from us, please review the security advisory and guidance from Ivanti at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 including the Exploitation Detection RPM Package co-developed by Ivanti & @NCSC_NL@social.overheid.nl
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
We started scanning for IoT devices compromised by the Eleven11bot DDoS botnet, with ~86.4K discovered on 2025-03-03. IP data is shared daily in our Compromised IoT report https://www.shadowserver.org/what-we-do/network-reporting/compromised-iot-report/
Top affected: US (24.7K), UK (10.8K).
Dashboard map view: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-03-03&source=compromised_iot&tag=eleven11bot%2B&geo=all&data_set=count&scale=log
For background, please see Nokia Deepfield Emergency Response Team (ERT) @deepfield@infosec.exchange announcement: @deepfield@infosec.exchange
Dashboard breakdown by US state:
