The Shadowserver Foundation
@shadowserver.bsky.social
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
https://shadowserver.org/partner
Pinned
Using ELK & interested in automating ingestion of our threat intel for your network/constituency?
We have added support for Elasticsearch Custom Logs integration for our free daily reports API.
Check it out at github.com/The-Shadowse...
We have added support for Elasticsearch Custom Logs integration for our free daily reports API.
Check it out at github.com/The-Shadowse...
Proud to once again support our LE partners in Operation Endgame Season 3
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
November 13, 2025 at 10:13 AM
Proud to once again support our LE partners in Operation Endgame Season 3
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12
More details:
shadowserver.org/news/rhadama...
"Don’t take BADCANDY from strangers ..."
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
November 3, 2025 at 8:30 PM
"Don’t take BADCANDY from strangers ..."
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
The Australian Signals Directorate (ASD) recently published an advisory on the BadCandy implant still present in many Cisco IOS XE devices: www.cyber.gov.au/about-us/vie...
We still see around 15 000 Cisco IOS XE devices with the implant
We added CVE-2025-40778 BIND9 tagging (potential susceptibility to cache poisoning) to our DNS scans: www.shadowserver.org/what-we-do/n...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
November 2, 2025 at 2:02 PM
We added CVE-2025-40778 BIND9 tagging (potential susceptibility to cache poisoning) to our DNS scans: www.shadowserver.org/what-we-do/n...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
We found nearly 8898 unpatched DNS open resolvers on 2025-10-30, down to 6653 on 2025-11-01: dashboard.shadowserver.org/statistics/c...
Attention - Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable).
October 26, 2025 at 6:39 PM
Attention - Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable).
We are now sharing daily IP data on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 vulnerable instances, with over 71 000 seen on 2025-10-18. Data shared in our Vulnerable ISAKMP reportings - www.shadowserver.org/what-we-do/n...
Top affected: US with 23.2K instances
Top affected: US with 23.2K instances
October 19, 2025 at 1:30 PM
We are now sharing daily IP data on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 vulnerable instances, with over 71 000 seen on 2025-10-18. Data shared in our Vulnerable ISAKMP reportings - www.shadowserver.org/what-we-do/n...
Top affected: US with 23.2K instances
Top affected: US with 23.2K instances
Proud to support our Law Enforcement partners in another successful cybercrime disruption:
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
October 18, 2025 at 1:37 PM
Proud to support our Law Enforcement partners in another successful cybercrime disruption:
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Operation SIMCARTEL
Great work everyone involved 👏
europol.europa.eu/media-press/...
Regarding F5 network compromise (see my.f5.com/manage/s/art...):
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
October 16, 2025 at 7:42 PM
Regarding F5 network compromise (see my.f5.com/manage/s/art...):
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
We are sharing daily IP data on F5 exposures in our Device ID www.shadowserver.org/what-we-do/n... (device_vendor set to F5).
~269K IPs seen daily, nearly half in US.
Geo breakdown: dashboard.shadowserver.org/statistics/i...
Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
October 7, 2025 at 2:04 PM
Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
IP data in www.shadowserver.org/what-we-do/n...
World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...
You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c...
Around ~45K vulnerable seen on 2025-10-04
Around ~45K vulnerable seen on 2025-10-04
October 5, 2025 at 10:00 AM
You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c...
Around ~45K vulnerable seen on 2025-10-04
Around ~45K vulnerable seen on 2025-10-04
Attention!
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
September 30, 2025 at 9:34 AM
Attention!
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Over 48.8K unpatched IPs found 2025-09-29. Top affected: US
dashboard.shadowserver.org/statistics/c...
Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH)
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
September 15, 2025 at 8:29 AM
Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH)
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!
FreePBX CVE-2025-57819 (CVSS 10.0) incidents: 6620 unpatched instances seen 2025-08-29, at least 386 compromised.
Dashboard links:
Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c...
Compromised:
dashboard.shadowserver.org/statistics/c...
Dashboard links:
Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c...
Compromised:
dashboard.shadowserver.org/statistics/c...
August 30, 2025 at 3:24 PM
FreePBX CVE-2025-57819 (CVSS 10.0) incidents: 6620 unpatched instances seen 2025-08-29, at least 386 compromised.
Dashboard links:
Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c...
Compromised:
dashboard.shadowserver.org/statistics/c...
Dashboard links:
Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c...
Compromised:
dashboard.shadowserver.org/statistics/c...
Citrix NetScaler CVE-2025-7775 patch rate as seen in our scans:
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
Down from 28.2K to 12.4K. Europe patching at faster rate than North America
(toggle overlapping/stacked time series on our Dashboard to compare)
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
Down from 28.2K to 12.4K. Europe patching at faster rate than North America
(toggle overlapping/stacked time series on our Dashboard to compare)
August 29, 2025 at 1:18 PM
Citrix NetScaler CVE-2025-7775 patch rate as seen in our scans:
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
Down from 28.2K to 12.4K. Europe patching at faster rate than North America
(toggle overlapping/stacked time series on our Dashboard to compare)
dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...
Down from 28.2K to 12.4K. Europe patching at faster rate than North America
(toggle overlapping/stacked time series on our Dashboard to compare)
ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV.
Patch info: support.citrix.com/support-home...
Top affected: US, Germany
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
Patch info: support.citrix.com/support-home...
Top affected: US, Germany
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
August 27, 2025 at 11:21 AM
ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV.
Patch info: support.citrix.com/support-home...
Top affected: US, Germany
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
Patch info: support.citrix.com/support-home...
Top affected: US, Germany
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
We added a new daily scan report type, Accessible GPRS Tunneling Protocol (GTP) services listing IPs with publicly exposed GTP-C (Core) on port 2123/UDP & GTP-U (User) 2152/UDP.
Report format: www.shadowserver.org/what-we-do/n...
Dashboard World map: dashboard.shadowserver.org/statistics/c...
Report format: www.shadowserver.org/what-we-do/n...
Dashboard World map: dashboard.shadowserver.org/statistics/c...
August 20, 2025 at 6:01 PM
We added a new daily scan report type, Accessible GPRS Tunneling Protocol (GTP) services listing IPs with publicly exposed GTP-C (Core) on port 2123/UDP & GTP-U (User) 2152/UDP.
Report format: www.shadowserver.org/what-we-do/n...
Dashboard World map: dashboard.shadowserver.org/statistics/c...
Report format: www.shadowserver.org/what-we-do/n...
Dashboard World map: dashboard.shadowserver.org/statistics/c...
Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers, Linksys LRT series & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others.
IP data on these scans shared in www.shadowserver.org/what-we-do/n...
IP data on these scans shared in www.shadowserver.org/what-we-do/n...
August 19, 2025 at 10:15 AM
Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers, Linksys LRT series & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others.
IP data on these scans shared in www.shadowserver.org/what-we-do/n...
IP data on these scans shared in www.shadowserver.org/what-we-do/n...
We added version based N-able N-central RMM CVE-2025-8875 & CVE-2025-8876 detection to our daily scans. 1077 IPs unpatched IPs seen on 2025-08-15. Both CVEs recently added to US CISA KEV.
Top affected: US, Canada, Netherlands, UK
Dashboard map view: dashboard.shadowserver.org/statistics/c...
Top affected: US, Canada, Netherlands, UK
Dashboard map view: dashboard.shadowserver.org/statistics/c...
August 17, 2025 at 3:30 PM
We added version based N-able N-central RMM CVE-2025-8875 & CVE-2025-8876 detection to our daily scans. 1077 IPs unpatched IPs seen on 2025-08-15. Both CVEs recently added to US CISA KEV.
Top affected: US, Canada, Netherlands, UK
Dashboard map view: dashboard.shadowserver.org/statistics/c...
Top affected: US, Canada, Netherlands, UK
Dashboard map view: dashboard.shadowserver.org/statistics/c...
Still a large number of unpatched Citrix NetScaler devices likely vulnerable to CVE-2025-5777 (3312 seen) & CVE-2025-6543 (4142 seen). Both vulns are on US CISA KEV list.
The Dutch NCSC has recently released an update related to CVE-2025-6543 activity: www.ncsc.nl/actueel/nieu...
The Dutch NCSC has recently released an update related to CVE-2025-6543 activity: www.ncsc.nl/actueel/nieu...
August 12, 2025 at 9:38 AM
Still a large number of unpatched Citrix NetScaler devices likely vulnerable to CVE-2025-5777 (3312 seen) & CVE-2025-6543 (4142 seen). Both vulns are on US CISA KEV list.
The Dutch NCSC has recently released an update related to CVE-2025-6543 activity: www.ncsc.nl/actueel/nieu...
The Dutch NCSC has recently released an update related to CVE-2025-6543 activity: www.ncsc.nl/actueel/nieu...
We added VMware ESXi CVE-2025-41236 (CVSS 9.3) version based detection to our daily scans. First added 2025-07-19 with 17,238 IPs found. Latest scan (2025-08-10) detects 16,330 unpatched IPs, which is a slow patch rate.
Top affected: France, China, US, Germany
Top affected: France, China, US, Germany
August 11, 2025 at 12:49 PM
We added VMware ESXi CVE-2025-41236 (CVSS 9.3) version based detection to our daily scans. First added 2025-07-19 with 17,238 IPs found. Latest scan (2025-08-10) detects 16,330 unpatched IPs, which is a slow patch rate.
Top affected: France, China, US, Germany
Top affected: France, China, US, Germany
We added Microsoft Exchange CVE-2025-53786 detection to our daily scans (version based). See US CISA Emergency Directive 25-02: www.cisa.gov/news-events/...
Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia
Dashboard world map: dashboard.shadowserver.org/statistics/c...
Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia
Dashboard world map: dashboard.shadowserver.org/statistics/c...
August 8, 2025 at 2:21 PM
We added Microsoft Exchange CVE-2025-53786 detection to our daily scans (version based). See US CISA Emergency Directive 25-02: www.cisa.gov/news-events/...
Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia
Dashboard world map: dashboard.shadowserver.org/statistics/c...
Over 28K IPs unpatched (2025-08-07). Top affected: US, Germany, Russia
Dashboard world map: dashboard.shadowserver.org/statistics/c...
We added version based SonicWall SMA100 CVE-2025-40596 detection to our daily scans - at least 3200 IPs seen still unpatched!
Top affected: US, Japan, Germany
Dashboard map: dashboard.shadowserver.org/statistics/c...
NVD entry: nvd.nist.gov/vuln/detail/...
Top affected: US, Japan, Germany
Dashboard map: dashboard.shadowserver.org/statistics/c...
NVD entry: nvd.nist.gov/vuln/detail/...
August 7, 2025 at 11:16 PM
We added version based SonicWall SMA100 CVE-2025-40596 detection to our daily scans - at least 3200 IPs seen still unpatched!
Top affected: US, Japan, Germany
Dashboard map: dashboard.shadowserver.org/statistics/c...
NVD entry: nvd.nist.gov/vuln/detail/...
Top affected: US, Japan, Germany
Dashboard map: dashboard.shadowserver.org/statistics/c...
NVD entry: nvd.nist.gov/vuln/detail/...
PaperCut CVE-2023-2533 was recently added to the
CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03).
dashboard.shadowserver.org/statistics/c...
We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...
CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03).
dashboard.shadowserver.org/statistics/c...
We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...
August 4, 2025 at 10:43 AM
PaperCut CVE-2023-2533 was recently added to the
CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03).
dashboard.shadowserver.org/statistics/c...
We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...
CISA KEV catalog. We added version based detection of unpatched IPs with 129 seen (2025-08-03).
dashboard.shadowserver.org/statistics/c...
We also scan for CVE-2023-39143 & CVE-2023-27350. Data in Vulnerable HTTP: shadowserver.org/what-we-do/n...
We’re excited to welcome SURFcert to the Shadowserver Alliance as a Bronze Tier Partner!
Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all.
Read more about SURFcert:
www.surf.nl/en
Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all.
Read more about SURFcert:
www.surf.nl/en
August 1, 2025 at 9:05 AM
We’re excited to welcome SURFcert to the Shadowserver Alliance as a Bronze Tier Partner!
Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all.
Read more about SURFcert:
www.surf.nl/en
Together with SURFcert and fellow Alliance Partners, we’re making the Internet more secure for all.
Read more about SURFcert:
www.surf.nl/en
SharePoint situational update: In collaboration with Validin & CERT-BUND we improved vhost & version based detection of SharePoint instances, resulting in ~17K IPs observed exposed. 840 with CVE-2025-53770 - version based detection only. At least 20 with webshells.
July 31, 2025 at 12:51 PM
SharePoint situational update: In collaboration with Validin & CERT-BUND we improved vhost & version based detection of SharePoint instances, resulting in ~17K IPs observed exposed. 840 with CVE-2025-53770 - version based detection only. At least 20 with webshells.
Emerging threats are countered most effectively when IR teams can share technical indicators to improve detection - helping identify, notify & remediate more victims.
Great example: CVE-2025-25257 & FortiWeb shells.
Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!
Great example: CVE-2025-25257 & FortiWeb shells.
Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!
July 31, 2025 at 10:23 AM
Emerging threats are countered most effectively when IR teams can share technical indicators to improve detection - helping identify, notify & remediate more victims.
Great example: CVE-2025-25257 & FortiWeb shells.
Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!
Great example: CVE-2025-25257 & FortiWeb shells.
Saudi Arabian NCA and Canadian CCCS both helped protect victims globally!