The Shadowserver Foundation
LightNews LightNews
shadowserver.bsky.social
The Shadowserver Foundation
@shadowserver.bsky.social
4.8K followers 0 following 710 posts
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
Posts Replies Media Videos
shadowserver.bsky.social
Received an alert from us? Act!

Background on CVE-2023-20198/CVE-2023-20273 & the BadCandy implant from over 2 years ago:
blog.talosintelligence.com/active-explo...

#CyberCivilDefense
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
Cisco has identified active exploitation of two previously unknown vulnerabilities in the Web User Interface (Web UI) feature of Cisco IOS XE software — CVE-2023-20198 and CVE-2023-20273 — when expose...
blog.talosintelligence.com
November 3, 2025 at 8:30 PM
shadowserver.bsky.social
You can track those here: dashboard.shadowserver.org/statistics/c...

Geo breakdown of implanted Cisco IOS XE: dashboard.shadowserver.org/statistics/c...

IP data shared daily with National CSIRTs worldwide & subscribed impacted network owners: www.shadowserver.org/what-we-do/n...
Time series · General statistics · The Shadowserver Foundation
dashboard.shadowserver.org
November 3, 2025 at 8:30 PM
shadowserver.bsky.social
Patch info: kb.isc.org/docs/cve-202...

Results are based on versions returned.

CVE-2025-40778 Public Dashboard tracker: dashboard.shadowserver.org/statistics/c...

NVD entry: nvd.nist.gov/vuln/detail/...

#CyberCivilDefense
CVE-2025-40778: Cache poisoning attacks with unsolicited RRs
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.
kb.isc.org
November 2, 2025 at 2:02 PM
shadowserver.bsky.social
NVD: nvd.nist.gov/vuln/detail/...

Microsoft Advisory: msrc.microsoft.com/update-guide...

HawkTrace writeup:
hawktrace.com/blog/CVE-202...

Huntress writeup: www.huntress.com/blog/exploit...

Eye Security writeup: research.eye.security/wsus-deseria...
Known Exploited Vulnerabilities Catalog | CISA
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative so...
www.cisa.gov
October 26, 2025 at 6:39 PM
shadowserver.bsky.social
Tree map view:
dashboard.shadowserver.org/statistics/i...

This vulnerability is on US CISA KEV: www.cisa.gov/known-exploi...
Tree map by country · IoT device statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 26, 2025 at 6:39 PM
shadowserver.bsky.social
IP data is being shared in our Device ID reporting www.shadowserver.org/what-we-do/n... with device_vendor set to Microsoft & device_model set to Windows Server Update Services (Open).

Geo distribution (World Map):
dashboard.shadowserver.org/statistics/i...
INFO: Device Identification Report | The Shadowserver Foundation
DESCRIPTION LAST UPDATED: 2023-12-06 DEFAULT SEVERITY LEVEL: INFO This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our Interne...
www.shadowserver.org
October 26, 2025 at 6:39 PM
shadowserver.bsky.social
Tracker:
dashboard.shadowserver.org/statistics/c...

For background and detection methodology, please read: labs.watchtowr.com/yikes-watchg... (thanks watchTowr!)

Patch information from WatchGuard is here: www.watchguard.com/wgrd-psirt/a...

#CyberCivilDefense
yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242)
Note from editor: Before we begin, a big welcome to McCaulay Hudson, the newest member of the watchTowr Labs team with his inaugural blog post! Welcome to the mayhem, McCaulay! Today is the 8th of No...
labs.watchtowr.com
October 19, 2025 at 1:30 PM
shadowserver.bsky.social
To search for statistics in our Public Dashboard, set source to isakmp_vulnerable, isakmp_vulnerable6 and use the cve-2025-9242 tag.

Geo breakdown (world map):
dashboard.shadowserver.org/statistics/c...

Geo breakdown (tree map): dashboard.shadowserver.org/statistics/c...
World map · General statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 19, 2025 at 1:30 PM
shadowserver.bsky.social
You can track F5 related exposure on our Public Dashboard here:

dashboard.shadowserver.org/statistics/i...

#CyberCivilDefense
Time series · IoT device statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 16, 2025 at 7:42 PM
shadowserver.bsky.social
Follow guidance from US CISA & NCSC UK to identify (for example, using our reporting) and harden F5 assets:

www.cisa.gov/news-events/...

www.ncsc.gov.uk/news/confirm...
ED 26-01: Mitigate Vulnerabilities in F5 Devices | CISA
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security
www.cisa.gov
October 16, 2025 at 7:42 PM
shadowserver.bsky.social
You can track F5 related exposure on our Public Dashboard here:

dashboard.shadowserver.org/statistics/i...

#CyberCivilDefense
Time series · IoT device statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 16, 2025 at 7:36 PM
shadowserver.bsky.social
Follow guidance from @CISACyber & @NCSC UK to identify (for example, using our reporting) and harden F5 assets:

www.cisa.gov/news-events/...

www.ncsc.gov.uk/news/confirm...
ED 26-01: Mitigate Vulnerabilities in F5 Devices | CISA
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security
www.cisa.gov
October 16, 2025 at 7:36 PM
shadowserver.bsky.social
Please let us know of any FPs

We are also in the process of expanding Oracle E-Business Suite exposure, which you can track here: dashboard.shadowserver.org/statistics/i...
Time series · IoT device statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 7, 2025 at 2:04 PM
shadowserver.bsky.social
Tree map: dashboard.shadowserver.org/statistics/c...

Tracker: dashboard.shadowserver.org/statistics/c...

If you receive an alert from us, please assume compromise (see also US CISA KEV list)

Patch info from Oracle:
www.oracle.com/security-ale...

Background: www.ncsc.gov.uk/news/active-...
Tree map · General statistics · The Shadowserver Foundation
dashboard.shadowserver.org
October 7, 2025 at 2:04 PM
shadowserver.bsky.social
More info & background:
US CISA ED-25-03 Identify and Mitigate Potential Compromise of Cisco Devices: www.cisa.gov/news-events/...

#CyberCivilDefense
ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03: Identify and Mitigate Potential
www.cisa.gov
September 30, 2025 at 9:34 AM
shadowserver.bsky.social
Tree map view: dashboard.shadowserver.org/statistics/c...

Cisco advisories with patch info:

CVE-2025-20333: sec.cloudapps.cisco.com/security/cen...

CVE-2025-20362:
sec.cloudapps.cisco.com/security/cen...
September 30, 2025 at 9:34 AM