We are now scanning daily for CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability) which has recently been added to US CISA KEV.
6364 IPs seen vulnerable on 2026-04-19 based on a version check.
Dashboard Tree Map view:
dashboard.shadowserver.org/statistics/c...
We added CVE-2026-35616 scans based on the vulnerability detector developed by Bishop Fox
bishopfox.com/blog/api-aut....
Over 60 IPs still assessed as vulnerable: dashboard.shadowserver.org/statistics/c...
Data shared daily in our Vulnerable HTTP reporting: shadowserver.org/what-we-do/n...
We’re excited to announce that the Canadian Centre for Cyber Security (CCCS) has increased its annual Shadowserver Alliance Partnership tier from Gold to Diamond! Thank you CCCS for your generous support and for being a valuable and trusted partner in making the Internet more secure.
We have also added CVE-2026-2699 tagging to our scans, which now detect unpatched Progress ShareFile instances. 120 seen 2026-04-06
dashboard.shadowserver.org/statistics/c...
Tree Map view: dashboard.shadowserver.org/statistics/c...
IP data in Vulnerable HTTP: www.shadowserver.org/what-we-do/n...
Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We fingerprint about 2000 instances globally, see public Dashboard: dashboard.shadowserver.org/statistics/i...
Top affected: US & Germany
We added Progress ShareFile fingerprinting to our scans & reports with 784 unique IPs seen exposed on 2026-04-02.
watchTowr recently disclosed details behind an RCE CVE-2026-2699 & CVE-2026-2701 exploit chain affecting ShareFile. Make sure to apply the latest patch!
F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE (see: my.f5.com/manage/s/art...) & added to CISA KEV.
We are fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.
We’re excited to welcome KPN to the Shadowserver Alliance as a bronze tier partner!
KPN is a leading telecommunications and IT provider in the Netherlands. www.kpn.com/algemeen/eng...
Together we will raise the bar on cybersecurity to make the Internet more secure.
IIS EOL tracker: dashboard.shadowserver.org/statistics/c...
Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports.
We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!
Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption:
shadowserver.org/news/tycoon-...
New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)
www.shadowserver.org/what-we-do/n...
Another Iran Internet blackout, this time due to the war, visualized on our Public Dashboard - drop to near zero on 2026-03-01:
dashboard.shadowserver.org/statistics/c...
We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: dashboard.shadowserver.org/statistics/c...
Top affected: US, Germany & France.
Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.
We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
These reports help people defend the country against cyber attacks and also helps people fight scammer networks
#CyberCivilDefense #take9
Spike in Ivanti EPMM CVE-2026-1281 RCE exploitation attempts seen by our sensors last 24 hours from at least 13 source IPs. In our scans, we see ~1600 exposed instances worldwide (no vulnerability assessment). Top exposed: Germany (516)
Ivanti hotfix guidance: forums.ivanti.com/s/article/Se...
CVE-2026-24858, a Fortinet authentication bypass vulnerability affecting multiple Fortinet products with FortiCloud SSO enabled, has been added by CISA to the KEV catalog.
We share exposed Fortinet instances with FortiCloud SSO enabled daily in our feeds (~10 000 seen)
We added SmarterTools SmarterMail CVE-2026-23760 RCE to our daily Vulnerable HTTP scans. Around 6000 IPs globally found likely vulnerable based on our version check. We also see exploitation attempts in the wild.
CVE-2026-23760 Geo Treemap View: dashboard.shadowserver.org/statistics/c...
Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we do share - and have for years - data on exposed instances in our Accessible Telnet Report: www.shadowserver.org/what-we-do/n...
~800K exposed
We are scanning & reporting out SmarterMail hosts vulnerable to CVE-2025-52691 RCE (CVSS 10).
8001 unique IPs likely vulnerable on 2026-01-12 (18783 exposed). Note Exploit PoCs are public.
Tree Map: dashboard.shadowserver.org/statistics/c...
Raw IP data: www.shadowserver.org/what-we-do/n...
We have identified 120 Cisco Secure Email Gateway/ Cisco Secure Email and Web Manager likely vulnerable to CVE-2025-20393 (over 650 fingerprinted exposed). CVE-2025-20393 is exploited in the wild, with no patch available. Follow Cisco recommendations at sec.cloudapps.cisco.com/security/cen...
Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API?
We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash.
Check it out at github.com/The-Shadowse...
We added fingerprinting of Fortinet devices with FortiCloud SSO enabled to our Device Identification reporting (at least 25K IPs seen globally). While not necessarily vulnerable to CVE-2025-59718/CVE-2025-59719 if you get a report from us regarding exposure, please verify/patch!
React Server Components (CVE-2025-55182) RCE findings so far on 2025-12-05. 77664 IPs found vulnerable (based on Assetnote methodology).
IP data is being shared in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...
Excited that our collaboration with
VulnCheck (vulncheck.com) continues to grow as we welcome them as a new Shadowserver Alliance Partner -Silver tier!
We look forward to enhancing our joint efforts to help network defenders globally with vulnerability management.
Operation Endgame Season 3 Episode 2: Interlude released in time for Thanksgiving, recapping some of the #cybercrime disruption successes achieved so far, by partners working together internationally. Happy holidays - looking forward to future episodes!
We shared out 10,449 entries (e-mails) affected by the JSONFormatter and CodeBeautifier leak discovered by @watchTowr (see labs.watchtowr.com/stop-putting...).
Data shared in a our Compromised Account Report www.shadowserver.org/what-we-do/n... (search for 2025-11-26 & compromised_account prefix)
We have been sharing Monsta FTP CVE-2025-34299 (pre-auth RCE) vulnerable instances for the last few weeks. We still see over 780 IPs vulnerable (version based check) instances daily. Most affected: US & Slovakia: dashboard.shadowserver.org/statistics/c...
dashboard.shadowserver.org/statistics/c...