The Shadowserver Foundation
LightNews LightNews
shadowserver.bsky.social
The Shadowserver Foundation
@shadowserver.bsky.social
4.9K followers 0 following 780 posts
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
Posts Replies Media Videos
Pinned
shadowserver.bsky.social
The Shadowserver Foundation @shadowserver.bsky.social · Dec 13
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?

We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.

Check it out at github.com/The-Shadowse...
shadowserver.bsky.social
Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.
February 10, 2026 at 6:37 PM
shadowserver.bsky.social
Running End-of-Life devices or apps is a major security risk. @CISACyber has recently released a Directive on the topic: www.cisa.gov/news-events/...

It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.

See: dashboard.shadowserver.org/statistics/c...
February 8, 2026 at 7:23 PM
shadowserver.bsky.social
We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06

Data in shadowserver.org/what-we-do/n...

Tree Map view: dashboard.shadowserver.org/statistics/c...

Thank you to the KSA NCA for the heads up!
February 7, 2026 at 4:22 PM
Reposted by The Shadowserver Foundation
craignewmark.bsky.social
These reports help people defend the country against cyber attacks and also helps people fight scammer networks

#CyberCivilDefense #take9
shadowserver.bsky.social The Shadowserver Foundation @shadowserver.bsky.social · 7d
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...

Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
February 5, 2026 at 11:53 AM
shadowserver.bsky.social
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...

Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
February 5, 2026 at 10:55 AM
shadowserver.bsky.social
We are scanning & reporting out exposed OpenClaw/Clawdbot/Moltbot instances, with ~25K seen 2026-02-02. We report these out in our Device Identification reporting, with vendor set to OpenClaw for all cases: www.shadowserver.org/what-we-do/n...

World Map: dashboard.shadowserver.org/statistics/i...
February 3, 2026 at 5:35 PM
shadowserver.bsky.social
Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516)

Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
January 31, 2026 at 3:32 PM
shadowserver.bsky.social
CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog.

We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
January 28, 2026 at 6:48 PM
shadowserver.bsky.social
We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild.

CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
January 26, 2026 at 2:03 PM
shadowserver.bsky.social
Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n...

~800K exposed
January 26, 2026 at 10:26 AM
shadowserver.bsky.social
We are scanning & reporting out SmarterMail hosts vulnerable to CVE-2025-52691 RCE (CVSS 10).
8001 unique IPs likely vulnerable on 2026-01-12 (18783 exposed). Note Exploit PoCs are public.

Tree Map: dashboard.shadowserver.org/statistics/c...

Raw IP data: www.shadowserver.org/what-we-do/n...
January 13, 2026 at 12:30 PM
shadowserver.bsky.social
Iran Internet blackout visualized on our Public Dashboard - drop to near zero exposure after 2026-01-08 in scan and sinkhole telemetry:

Scan results: dashboard.shadowserver.org/statistics/c...

Sinkhole results:
dashboard.shadowserver.org/statistics/c...
January 13, 2026 at 10:51 AM
shadowserver.bsky.social
You can also track different scan results for recent n8n vulns (not just CVE-2026-21858 but also CVE-2025-68668, CVE-2025-68613, CVE-2026-21877) on Dashboard:

dashboard.shadowserver.org/statistics/c...

dashboard.shadowserver.org/statistics/c...
January 12, 2026 at 5:17 PM
shadowserver.bsky.social
Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found - out of 230,562 IPs with n8n we see that day.

Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...

IP data in Vulnerable HTTP: www.shadowserver.org/what-we-do/n...
January 10, 2026 at 8:18 PM
shadowserver.bsky.social
We added Fortinet SSL-VPN CVE-2020-12812 to our daily Vulnerable HTTP Report: www.shadowserver.org/what-we-do/n...

After 5 1/2 years since being published still over 10K Fortinet firewalls remain unpatched. Actively exploited as recently highlighted by Fortinet: www.fortinet.com/blog/psirt-b...
January 2, 2026 at 11:10 AM
shadowserver.bsky.social
MongoBleed update: We added MongoDB CVE-2025-14847 tagging today that is version based. This results in 74,854 possibly unpatched versions (out of 78,725 exposed today). IP data on vulnerable instances shared in our Open MongoDB Report: www.shadowserver.org/what-we-do/n...
December 29, 2025 at 7:36 PM
shadowserver.bsky.social
Great to again provide technical support to Interpol & international LE partners, this time on Operation Sentinel:

interpol.int/en/News-and-...

Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
December 22, 2025 at 9:00 PM
shadowserver.bsky.social
Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): dashboard.shadowserver.org/statistics/c...

WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
December 21, 2025 at 6:42 PM
shadowserver.bsky.social
We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...
December 20, 2025 at 6:31 PM
shadowserver.bsky.social
We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!
December 19, 2025 at 12:12 PM
shadowserver.bsky.social
Second Rhadamanthys Historic Bot Victims Special Report run overnight (dated 2025-12-15):

92M stolen data items from 567K victim IPs across 228 countries

Additional data shared by LE partners under Operation Endgame

Updated blog:
shadowserver.org/news/rhadama...

Check your reports!
December 16, 2025 at 2:49 PM
shadowserver.bsky.social
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?

We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.

Check it out at github.com/The-Shadowse...
December 13, 2025 at 3:45 PM
shadowserver.bsky.social
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!

See: dashboard.shadowserver.org/statistics/c...

Check for compromise & patch!

Thank you to Validin & LeakIX for the collaboration!
December 9, 2025 at 4:24 PM
shadowserver.bsky.social
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors:
dashboard.shadowserver.org/statistics/h...
December 8, 2025 at 11:31 AM
Reposted by The Shadowserver Foundation
shadowserver.bsky.social
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).

IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...

Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
December 6, 2025 at 10:13 AM