The Shadowserver Foundation
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
shadowserver.org/partner
- Reposted by The Shadowserver FoundationThese reports help people defend the country against cyber attacks and also helps people fight scammer networks #CyberCivilDefense #take9
- For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n... Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
- For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n... Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
- We are scanning & reporting out exposed OpenClaw/Clawdbot/Moltbot instances, with ~25K seen 2026-02-02. We report these out in our Device Identification reporting, with vendor set to OpenClaw for all cases: www.shadowserver.org/what-we-do/n... World Map: dashboard.shadowserver.org/statistics/i...
- Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516) Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
- CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog. We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
- We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild. CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
- Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n... ~800K exposed
- We are scanning & reporting out SmarterMail hosts vulnerable to CVE-2025-52691 RCE (CVSS 10). 8001 unique IPs likely vulnerable on 2026-01-12 (18783 exposed). Note Exploit PoCs are public. Tree Map: dashboard.shadowserver.org/statistics/c... Raw IP data: www.shadowserver.org/what-we-do/n...
- Iran Internet blackout visualized on our Public Dashboard - drop to near zero exposure after 2026-01-08 in scan and sinkhole telemetry: Scan results: dashboard.shadowserver.org/statistics/c... Sinkhole results: dashboard.shadowserver.org/statistics/c...
- You can also track different scan results for recent n8n vulns (not just CVE-2026-21858 but also CVE-2025-68668, CVE-2025-68613, CVE-2026-21877) on Dashboard: dashboard.shadowserver.org/statistics/c... dashboard.shadowserver.org/statistics/c...
- Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found - out of 230,562 IPs with n8n we see that day. Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c... IP data in Vulnerable HTTP: www.shadowserver.org/what-we-do/n...
- Scan results for n8n CVE-2026-21858 (CVSS 10.0 RCE) for 2026-01-09: 105,753 vulnerable instances by unique IP found - out of 230,562 IPs with n8n we see that day. Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c... IP data in Vulnerable HTTP: www.shadowserver.org/what-we-do/n...
- We added Fortinet SSL-VPN CVE-2020-12812 to our daily Vulnerable HTTP Report: www.shadowserver.org/what-we-do/n... After 5 1/2 years since being published still over 10K Fortinet firewalls remain unpatched. Actively exploited as recently highlighted by Fortinet: www.fortinet.com/blog/psirt-b...
- MongoBleed update: We added MongoDB CVE-2025-14847 tagging today that is version based. This results in 74,854 possibly unpatched versions (out of 78,725 exposed today). IP data on vulnerable instances shared in our Open MongoDB Report: www.shadowserver.org/what-we-do/n...
- Great to again provide technical support to Interpol & international LE partners, this time on Operation Sentinel: interpol.int/en/News-and-... Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
- Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): dashboard.shadowserver.org/statistics/c... WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
- We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...
- We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!
- Second Rhadamanthys Historic Bot Victims Special Report run overnight (dated 2025-12-15): 92M stolen data items from 567K victim IPs across 228 countries Additional data shared by LE partners under Operation Endgame Updated blog: shadowserver.org/news/rhadama... Check your reports!
- Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API? We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash. Check it out at github.com/The-Shadowse...
- Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements! See: dashboard.shadowserver.org/statistics/c... Check for compromise & patch! Thank you to Validin & LeakIX for the collaboration!
- Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors: dashboard.shadowserver.org/statistics/h...
- Reposted by The Shadowserver Foundation[Not loaded yet]
