The Shadowserver Foundation

Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API? We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash. Check it out at github.com/The-Shadowserv…

CVE-2026-20963 Dashboard Tracker: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com…

Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: shadowserver.org/what-we-do/net… CVE-2026-20963 is known exploited in the wild and on @CISACyber KEV: cisa.gov/known-exploite… Check for compromise. Microsoft Advisory: msrc.microsoft.com/update-guide/v…

We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US. Dashboard World Map: dashboard.shadowserver.org/statistics/com…

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future! We would like to thank our Alliance partners and @ValidinLLC for the collaboration making this possible! Background on investigating ClickFix/ClearFake: atea.no/siste-nytt/it-…

Compromised Website Report (now with ClickFix data!): shadowserver.org/what-we-do/net… Dashboard World Map view of infected IPs: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view of infected IPs: dashboard.shadowserver.org/statistics/com…

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

@Europol @MicrosoftDCU nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains) link: shadowserver.org/what-we-do/net…

Operation successfully coordinated by @Europol, via EC3 Cyber Intelligence Extension Programme (CIEP). Civil legal action by @MicrosoftDCU Millions of phishing emails, 96K victims globally Key domains seized/sinkholed/suspended, thousands of criminal users potentially impacted

Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption: shadowserver.org/news/tycoon-2f… New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)

Another Iran Internet blackout, this time due to the war, visualized on our Public Dashboard - drop to near zero on 2026-03-01: dashboard.shadowserver.org/statistics/com…

If you receive an alert from us, please patch. World Map view of all n8n vulnerable instances we track: dashboard.shadowserver.org/statistics/com…

IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting - shadowserver.org/what-we-do/net… Latest n8n critical RCE vulns (all covered with above tag): github.com/n8n-io/n8n/sec… github.com/n8n-io/n8n/sec… github.com/n8n-io/n8n/sec…

We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: dashboard.shadowserver.org/statistics/com… Top affected: US, Germany & France.

If you receive an alert from us, please update! NVD entry: nvd.nist.gov/vuln/detail/cv… Background: zerodayinitiative.com/advisories/ZDI…

We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check). Patch info: support.icewarp.com/hc/en-us/commu… IP data in shadowserver.org/what-we-do/net… Dashboard World Map view: dashboard.shadowserver.org/statistics/com…

blog.talosintelligence.com/uat-8616-sd-wa… cyber.gov.au/sites/default/… sec.cloudapps.cisco.com/security/cente…

We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances shadowserver.org/what-we-do/net… Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH). Background: ncsc.gov.uk/news/exploitat…

Cisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - shadowserver.org/what-we-do/net… We see over 5.5K Cisco SD-WAN IPs (control plane) (dashboard.shadowserver.org/statistics/iot…), & over 270 management interfaces (dashboard.shadowserver.org/statistics/iot…)

IP data in our Compromised Website report, tagged 'freepbx-compromised' - shadowserver.org/what-we-do/net… Compromised FreePBX tracker: dashboard.shadowserver.org/statistics/com… These compromises are likely via CVE-2025-64328 Additional background from @Fortinet: fortinet.com/blog/threat-re…

Thanks to collaboration with the Canadian Centre for Cyber Security @cybercentre_ca we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised. Dashboard Victim overview (Tree map) dashboard.shadowserver.org/statistics/com…