The Shadowserver Foundation
@shadowserver.bsky.social
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
https://shadowserver.org/partner
Pinned
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
Tracker: dashboard.shadowserver.org/statistics/h...
Tree Map view: dashboard.shadowserver.org/statistics/h...
Tree Map view: dashboard.shadowserver.org/statistics/h...
Time series ·
Exploited vulnerabilities ·
The Shadowserver Foundation
dashboard.shadowserver.org
February 10, 2026 at 7:04 PM
Tracker: dashboard.shadowserver.org/statistics/h...
Tree Map view: dashboard.shadowserver.org/statistics/h...
Tree Map view: dashboard.shadowserver.org/statistics/h...
Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.
February 10, 2026 at 6:37 PM
Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.
February 8, 2026 at 7:23 PM
Over 57.5K IPs seen tagged with 'eol' in our exposed web service reporting alone! IP data shared for example in
www.shadowserver.org/what-we-do/n...
Dashboard World Map view: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...
www.shadowserver.org/what-we-do/n...
Dashboard World Map view: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...
CRITICAL: Vulnerable HTTP Report | The Shadowserver Foundation
DESCRIPTION LAST UPDATED: 2026-02-08 DEFAULT SEVERITY LEVEL: CRITICAL This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) service running on some port that may have a vulnera...
www.shadowserver.org
February 8, 2026 at 7:23 PM
Over 57.5K IPs seen tagged with 'eol' in our exposed web service reporting alone! IP data shared for example in
www.shadowserver.org/what-we-do/n...
Dashboard World Map view: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...
www.shadowserver.org/what-we-do/n...
Dashboard World Map view: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...
Running End-of-Life devices or apps is a major security risk. @CISACyber has recently released a Directive on the topic: www.cisa.gov/news-events/...
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
See: dashboard.shadowserver.org/statistics/c...
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
See: dashboard.shadowserver.org/statistics/c...
February 8, 2026 at 7:23 PM
Running End-of-Life devices or apps is a major security risk. @CISACyber has recently released a Directive on the topic: www.cisa.gov/news-events/...
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
See: dashboard.shadowserver.org/statistics/c...
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
See: dashboard.shadowserver.org/statistics/c...
If you receive an alert from us, please review the security advisory and guidance from Ivanti at hub.ivanti.com/s/article/Se... including the Exploitation Detection RPM Package co-developed by Ivanti & NCSC.nl
Ivanti Innovators Hub
hub.ivanti.com
February 7, 2026 at 4:22 PM
If you receive an alert from us, please review the security advisory and guidance from Ivanti at hub.ivanti.com/s/article/Se... including the Exploitation Detection RPM Package co-developed by Ivanti & NCSC.nl
We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
February 7, 2026 at 4:22 PM
We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
Reposted by The Shadowserver Foundation
These reports help people defend the country against cyber attacks and also helps people fight scammer networks
#CyberCivilDefense #take9
#CyberCivilDefense #take9
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
February 5, 2026 at 11:53 AM
These reports help people defend the country against cyber attacks and also helps people fight scammer networks
#CyberCivilDefense #take9
#CyberCivilDefense #take9
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
SolarWinds Trust Center Security Advisories | CVE-2025-40551
www.solarwinds.com
February 5, 2026 at 10:55 AM
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
February 5, 2026 at 10:55 AM
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
SolarWinds Trust Center Security Advisories | CVE-2025-40551
www.solarwinds.com
February 5, 2026 at 10:51 AM
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
OpenClaw Dashboard exposure tracker (for past data, select vendor Moltbot on the Dashabord):
dashboard.shadowserver.org/statistics/i...
OpenClaw Dashboard exposure tracker (for past data, select vendor Moltbot on the Dashabord):
dashboard.shadowserver.org/statistics/i...
Tree map by country ·
IoT device statistics ·
The Shadowserver Foundation
dashboard.shadowserver.org
February 3, 2026 at 5:35 PM
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
OpenClaw Dashboard exposure tracker (for past data, select vendor Moltbot on the Dashabord):
dashboard.shadowserver.org/statistics/i...
OpenClaw Dashboard exposure tracker (for past data, select vendor Moltbot on the Dashabord):
dashboard.shadowserver.org/statistics/i...
Most instances are across various cloud providers.
Our reporting is for awareness purposes.
OpenClaw has had various security risks highlighted recently (such as for example www.wiz.io/blog/exposed... & CVE-2026-25253 (1-Click RCE via Authentication Token Exfiltration)
Our reporting is for awareness purposes.
OpenClaw has had various security risks highlighted recently (such as for example www.wiz.io/blog/exposed... & CVE-2026-25253 (1-Click RCE via Authentication Token Exfiltration)
Hacking Moltbook: AI Social Network Reveals 1.5M API Keys | Wiz Blog
Learn how a misconfigured Supabase database at Moltbook exposed 1.5M API keys, private messages, and user emails, enabling full AI agent takeover.
www.wiz.io
February 3, 2026 at 5:35 PM
Most instances are across various cloud providers.
Our reporting is for awareness purposes.
OpenClaw has had various security risks highlighted recently (such as for example www.wiz.io/blog/exposed... & CVE-2026-25253 (1-Click RCE via Authentication Token Exfiltration)
Our reporting is for awareness purposes.
OpenClaw has had various security risks highlighted recently (such as for example www.wiz.io/blog/exposed... & CVE-2026-25253 (1-Click RCE via Authentication Token Exfiltration)
We are scanning & reporting out exposed OpenClaw/Clawdbot/Moltbot instances, with ~25K seen 2026-02-02. We report these out in our Device Identification reporting, with vendor set to OpenClaw for all cases: www.shadowserver.org/what-we-do/n...
World Map: dashboard.shadowserver.org/statistics/i...
World Map: dashboard.shadowserver.org/statistics/i...
February 3, 2026 at 5:35 PM
We are scanning & reporting out exposed OpenClaw/Clawdbot/Moltbot instances, with ~25K seen 2026-02-02. We report these out in our Device Identification reporting, with vendor set to OpenClaw for all cases: www.shadowserver.org/what-we-do/n...
World Map: dashboard.shadowserver.org/statistics/i...
World Map: dashboard.shadowserver.org/statistics/i...
CVE-2026-1281 has been added to CISA Known Exploited Vulnerability catalog: www.cisa.gov/news-events/...
Additional background from watchTowr: labs.watchtowr.com/someone-know...
Additional background from watchTowr: labs.watchtowr.com/someone-know...
CISA Adds One Known Exploited Vulnerability to Catalog | CISA
www.cisa.gov
January 31, 2026 at 3:32 PM
CVE-2026-1281 has been added to CISA Known Exploited Vulnerability catalog: www.cisa.gov/news-events/...
Additional background from watchTowr: labs.watchtowr.com/someone-know...
Additional background from watchTowr: labs.watchtowr.com/someone-know...
IP data on exposed instances shared in Device ID (device_vendor Ivanti, device_model EPMM ): www.shadowserver.org/what-we-do/n...
Dashboard World Map of exposed instances: dashboard.shadowserver.org/statistics/i...
Tree Map breakdown of exposed instances: dashboard.shadowserver.org/statistics/i...
Dashboard World Map of exposed instances: dashboard.shadowserver.org/statistics/i...
Tree Map breakdown of exposed instances: dashboard.shadowserver.org/statistics/i...
INFO: Device Identification Report | The Shadowserver Foundation
DESCRIPTION LAST UPDATED: 2023-12-06 DEFAULT SEVERITY LEVEL: INFO This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our Interne...
www.shadowserver.org
January 31, 2026 at 3:32 PM
IP data on exposed instances shared in Device ID (device_vendor Ivanti, device_model EPMM ): www.shadowserver.org/what-we-do/n...
Dashboard World Map of exposed instances: dashboard.shadowserver.org/statistics/i...
Tree Map breakdown of exposed instances: dashboard.shadowserver.org/statistics/i...
Dashboard World Map of exposed instances: dashboard.shadowserver.org/statistics/i...
Tree Map breakdown of exposed instances: dashboard.shadowserver.org/statistics/i...
Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516)
Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
January 31, 2026 at 3:32 PM
Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516)
Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
CISA Advisory: www.cisa.gov/news-events/...
Public Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
Public Dashboard Exposure Tracker: dashboard.shadowserver.org/statistics/i...
#CyberCivilDefense
Public Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
Public Dashboard Exposure Tracker: dashboard.shadowserver.org/statistics/i...
#CyberCivilDefense
Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858 | CISA
CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using For...
www.cisa.gov
January 28, 2026 at 6:48 PM
CISA Advisory: www.cisa.gov/news-events/...
Public Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
Public Dashboard Exposure Tracker: dashboard.shadowserver.org/statistics/i...
#CyberCivilDefense
Public Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
Public Dashboard Exposure Tracker: dashboard.shadowserver.org/statistics/i...
#CyberCivilDefense
Numbers have gone down from 25 000+ seen when we first started reporting in mid-Dec 2025.
We share data on Fortinet devices with FortiCloud SSO enabled in our Device ID reporting: www.shadowserver.org/what-we-do/n...
Fortinet Advisory: www.fortiguard.com/psirt/FG-IR-...
We share data on Fortinet devices with FortiCloud SSO enabled in our Device ID reporting: www.shadowserver.org/what-we-do/n...
Fortinet Advisory: www.fortiguard.com/psirt/FG-IR-...
INFO: Device Identification Report | The Shadowserver Foundation
DESCRIPTION LAST UPDATED: 2023-12-06 DEFAULT SEVERITY LEVEL: INFO This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our Interne...
www.shadowserver.org
January 28, 2026 at 6:48 PM
Numbers have gone down from 25 000+ seen when we first started reporting in mid-Dec 2025.
We share data on Fortinet devices with FortiCloud SSO enabled in our Device ID reporting: www.shadowserver.org/what-we-do/n...
Fortinet Advisory: www.fortiguard.com/psirt/FG-IR-...
We share data on Fortinet devices with FortiCloud SSO enabled in our Device ID reporting: www.shadowserver.org/what-we-do/n...
Fortinet Advisory: www.fortiguard.com/psirt/FG-IR-...
CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog.
We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
January 28, 2026 at 6:48 PM
CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog.
We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
Tracker: dashboard.shadowserver.org/statistics/c...
Please update to the latest build (9518 as of time of writing) www.smartertools.com/smartermail/...
Background: labs.watchtowr.com/attackers-wi...
#CyberCivilDefense
Please update to the latest build (9518 as of time of writing) www.smartertools.com/smartermail/...
Background: labs.watchtowr.com/attackers-wi...
#CyberCivilDefense
Time series ·
General statistics ·
The Shadowserver Foundation
dashboard.shadowserver.org
January 26, 2026 at 2:03 PM
Tracker: dashboard.shadowserver.org/statistics/c...
Please update to the latest build (9518 as of time of writing) www.smartertools.com/smartermail/...
Background: labs.watchtowr.com/attackers-wi...
#CyberCivilDefense
Please update to the latest build (9518 as of time of writing) www.smartertools.com/smartermail/...
Background: labs.watchtowr.com/attackers-wi...
#CyberCivilDefense
We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild.
CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
January 26, 2026 at 2:03 PM
We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild.
CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
We have been tweaking the scan the last few days to better weed out non-telnet protocols. Some honeypots may remain.
Telnet should not be publicly exposed, but often is especially on legacy iot devices.
CVE-2026-24061 info & patch: seclists.org/oss-sec/2026...
Telnet should not be publicly exposed, but often is especially on legacy iot devices.
CVE-2026-24061 info & patch: seclists.org/oss-sec/2026...
oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
seclists.org
January 26, 2026 at 10:31 AM
We have been tweaking the scan the last few days to better weed out non-telnet protocols. Some honeypots may remain.
Telnet should not be publicly exposed, but often is especially on legacy iot devices.
CVE-2026-24061 info & patch: seclists.org/oss-sec/2026...
Telnet should not be publicly exposed, but often is especially on legacy iot devices.
CVE-2026-24061 info & patch: seclists.org/oss-sec/2026...
Dashboard Tree Map view of telnet exposure (no vulnerability assessment): dashboard.shadowserver.org/statistics/c...
Like others, we also see exploitation attempts in the wild at scale.
#CyberCivilDefense
Like others, we also see exploitation attempts in the wild at scale.
#CyberCivilDefense
Tree map ·
General statistics ·
The Shadowserver Foundation
dashboard.shadowserver.org
January 26, 2026 at 10:26 AM
Dashboard Tree Map view of telnet exposure (no vulnerability assessment): dashboard.shadowserver.org/statistics/c...
Like others, we also see exploitation attempts in the wild at scale.
#CyberCivilDefense
Like others, we also see exploitation attempts in the wild at scale.
#CyberCivilDefense
Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n...
~800K exposed
~800K exposed
January 26, 2026 at 10:26 AM
Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n...
~800K exposed
~800K exposed