The Shadowserver Foundation
@shadowserver.bsky.social
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
https://shadowserver.org/partner
Pinned
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
Great to again provide technical support to Interpol & international LE partners, this time on Operation Sentinel:
interpol.int/en/News-and-...
Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
interpol.int/en/News-and-...
Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
December 22, 2025 at 9:00 PM
Great to again provide technical support to Interpol & international LE partners, this time on Operation Sentinel:
interpol.int/en/News-and-...
Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
interpol.int/en/News-and-...
Undertaken as part of African Joint Operation against Cybercrime (AFJOC) project, funded by UK FCDO, & EU/Council of Europe GLACY-e project
Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): dashboard.shadowserver.org/statistics/c...
WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
December 21, 2025 at 6:42 PM
Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): dashboard.shadowserver.org/statistics/c...
WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
WatchGuard Advisory: www.watchguard.com/wgrd-psirt/a...
We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...
December 20, 2025 at 6:31 PM
We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...
We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!
December 19, 2025 at 12:12 PM
We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!
Second Rhadamanthys Historic Bot Victims Special Report run overnight (dated 2025-12-15):
92M stolen data items from 567K victim IPs across 228 countries
Additional data shared by LE partners under Operation Endgame
Updated blog:
shadowserver.org/news/rhadama...
Check your reports!
92M stolen data items from 567K victim IPs across 228 countries
Additional data shared by LE partners under Operation Endgame
Updated blog:
shadowserver.org/news/rhadama...
Check your reports!
December 16, 2025 at 2:49 PM
Second Rhadamanthys Historic Bot Victims Special Report run overnight (dated 2025-12-15):
92M stolen data items from 567K victim IPs across 228 countries
Additional data shared by LE partners under Operation Endgame
Updated blog:
shadowserver.org/news/rhadama...
Check your reports!
92M stolen data items from 567K victim IPs across 228 countries
Additional data shared by LE partners under Operation Endgame
Updated blog:
shadowserver.org/news/rhadama...
Check your reports!
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
December 13, 2025 at 3:45 PM
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
December 9, 2025 at 4:24 PM
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors:
dashboard.shadowserver.org/statistics/h...
dashboard.shadowserver.org/statistics/h...
December 8, 2025 at 11:31 AM
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors:
dashboard.shadowserver.org/statistics/h...
dashboard.shadowserver.org/statistics/h...
Reposted by The Shadowserver Foundation
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
December 6, 2025 at 10:13 AM
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
December 6, 2025 at 10:13 AM
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
Excited that our collaboration with
VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier!
We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.
VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier!
We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.
VulnCheck - Outpace Adversaries
Vulnerability intelligence that predicts avenues of attack with speed and accuracy.
vulncheck.com
December 1, 2025 at 3:20 PM
Excited that our collaboration with
VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier!
We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.
VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier!
We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.
We shared out 10,449 entries (e-mails) affected by the JSONFormatter and CodeBeautifier leak discovered by @watchTowr (see labs.watchtowr.com/stop-putting...).
Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)
Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)
November 27, 2025 at 4:38 PM
We shared out 10,449 entries (e-mails) affected by the JSONFormatter and CodeBeautifier leak discovered by @watchTowr (see labs.watchtowr.com/stop-putting...).
Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)
Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)
Operation Endgame Season 3 Episode 2: Interlude released in time for Thanksgiving, recapping some of the #cybercrime disruption successes achieved so far, by partners working together internationally. Happy holidays - looking forward to future episodes!
November 27, 2025 at 11:35 AM
Operation Endgame Season 3 Episode 2: Interlude released in time for Thanksgiving, recapping some of the #cybercrime disruption successes achieved so far, by partners working together internationally. Happy holidays - looking forward to future episodes!
We have been sharing Monsta FTP CVE-2025-34299 (pre-auth RCE) vulnerable instances for the last few weeks. We still see over 780 IPs vulnerable (version based check) instances daily. Most affected: US & Slovakia: dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
November 24, 2025 at 1:27 PM
We have been sharing Monsta FTP CVE-2025-34299 (pre-auth RCE) vulnerable instances for the last few weeks. We still see over 780 IPs vulnerable (version based check) instances daily. Most affected: US & Slovakia: dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
Proud to once again support our LE partners in Operation Endgame Season 3
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
November 13, 2025 at 10:13 AM
Proud to once again support our LE partners in Operation Endgame Season 3
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
"Don’t take BADCANDY from strangers ..."
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
November 3, 2025 at 8:30 PM
"Don’t take BADCANDY from strangers ..."
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
We added CVE-2025-40778 BIND9 tagging (potential susceptibility to cache poisoning) to our DNS scans: www.shadowserver.org/what-we-do/n...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
November 2, 2025 at 2:02 PM
We added CVE-2025-40778 BIND9 tagging (potential susceptibility to cache poisoning) to our DNS scans: www.shadowserver.org/what-we-do/n...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
Attention - Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable).
October 26, 2025 at 6:39 PM
Attention - Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable).
We are now sharing daily IP data on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 vulnerable instances, with over 71 000 seen on 2025-10-18. Data shared in our Vulnerable ISAKMP reportings - www.shadowserver.org/what-we-do/n...
Top affected: US with 23.2K instances
Top affected: US with 23.2K instances
October 19, 2025 at 1:30 PM
We are now sharing daily IP data on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 vulnerable instances, with over 71 000 seen on 2025-10-18. Data shared in our Vulnerable ISAKMP reportings - www.shadowserver.org/what-we-do/n...
Top affected: US with 23.2K instances
Top affected: US with 23.2K instances
Proud to support our Law Enforcement partners in another successful cybercrime disruption:
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
October 18, 2025 at 1:37 PM
Proud to support our Law Enforcement partners in another successful cybercrime disruption:
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Regarding F5 network compromise (see my.f5.com/manage/s/art...):
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
October 16, 2025 at 7:42 PM
Regarding F5 network compromise (see my.f5.com/manage/s/art...):
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
October 7, 2025 at 2:04 PM
Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c...
Around ~45K vulnerable seen on 2025-10-04
Around ~45K vulnerable seen on 2025-10-04
October 5, 2025 at 10:00 AM
You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c...
Around ~45K vulnerable seen on 2025-10-04
Around ~45K vulnerable seen on 2025-10-04
Attention!
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
September 30, 2025 at 9:34 AM
Attention!
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH)
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
September 15, 2025 at 8:29 AM
Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH)
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!