The Shadowserver Foundation

Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API? We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash. Check it out at github.com/The-Shadowserv…

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: support.cpanel.net/hc/en-us/artic… See Public Dashboard for stats: dashboard.shadowserver.org/statistics/hon…

- Honeypot Brute Force Events Report shadowserver.org/what-we-do/net… You can also find exposed cPanel/WHM instances in our Device ID reporting with ~650K IPs seen hosting dashboard.shadowserver.org/statistics/iot…

You can find likely newly compromised instances in our honeypot based reports with cPanel set in the device_vendor of the attacking device - Darknet Events Report shadowserver.org/what-we-do/net… - Honeypot HTTP Scanner Events Report shadowserver.org/what-we-do/net…

IP data in Vulnerable HTTP reporting: shadowserver.org/what-we-do/net… See wiki.zimbra.com/wiki/Security_… for patch info. Dashboard World Map view: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com… CVE-2025-48700 Tracker: dashboard.shadowserver.org/statistics/com…

We are scanning/reporting daily Zimbra Collaboration Suite instances vulnerable to CVE-2025-48700, that can allow unauthorized access to sensitive information. This vulnerability is exploited in the wild and on @CISACyber KEV. We see over 10.5K IPs unpatched 2026-04-23.

At #iWeek2026, Andy Chadwick from @Shadowserver joined us to share how their nonprofit foundation provides world-class threat intelligence at no cost to network operators and ISPs.

This is a version based scan. Microsoft Advisory: msrc.microsoft.com/update-guide/e…

IP data shared in Vulnerable HTTP reporting: shadowserver.org/what-we-do/net… Dashboard World Map view: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com… CVE-2026-32201 tracker: dashboard.shadowserver.org/statistics/com… Numbers down from 2026-04-15 when we found 1745 unpatched.

We are also scanning & reporting Microsoft SharePoint CVE-2026-32201 (Improper input validation in SharePoint allows an unauthorized attacker to perform spoofing over a network). This vulnerability is known exploited in the wild & on @CISACyber KEV. 1370 IPs seen unpatched.

Thank you to Precursor Security for becoming a Shadowserver Alliance Silver Tier Partner! @PrecurSec delivers pen testing, 24/7 managed SOC, and more. precursorsecurity.com Together with our Alliance Partner community, we’ll make the Internet more secure.

CISA KEV entry: cisa.gov/known-exploite… NVD CVE entry: nvd.nist.gov/vuln/detail/CV…

IP data shared in our Accessible ActiveMQ reporting shadowserver.org/what-we-do/net… For Dashboard viewing, select sources 'activemq' and 'cve-2026-34197' ActiveMQ Security advisory: activemq.apache.org/security-advis… Background with details from @Horizon3ai horizon3.ai/attack-researc…

We are now scanning daily for CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability) which has recently been added to @CISACyber KEV. 6364 IPs seen vulnerable on 2026-04-19 based on a version check. Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com…

We added CVE-2026-35616 scans based on the vulnerability detector developed by @bishopfox bishopfox.com/blog/api-authe…. Over 60 IPs still assessed as vulnerable: dashboard.shadowserver.org/statistics/com… Data shared daily in our Vulnerable HTTP reporting: shadowserver.org/what-we-do/net…

Become an Alliance Partner today: shadowserver.org/partner/

We’re excited to announce that @cybercentre_ca has increased its annual Shadowserver Alliance Partnership tier from Gold to Diamond! Thank you @cybercentre_ca for your generous support and for being a valuable and trusted partner in making the Internet more secure.

We have also added CVE-2026-2699 tagging to our scans, which now detect unpatched Progress ShareFile instances. 120 IPs seen on 2026-04-06: dashboard.shadowserver.org/statistics/com… CVE-2026-2699 Tree Map view: dashboard.shadowserver.org/statistics/com… IP data in Vulnerable HTTP reporting: shadowserver.org/what-we-do/net…

Raw IP data shared in our Device ID reporting shadowserver.org/what-we-do/net… If you receive data from us on exposed instances, check for compromise & patch! Patch info: CVE-2026-35616 (0day reported by @DefusedCyber): fortiguard.fortinet.com/psirt/FG-IR-26… CVE-2026-21643: fortiguard.fortinet.com/psirt/FG-IR-25…

Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We fingerprint about 2000 instances globally, see public Dashboard: dashboard.shadowserver.org/statistics/iot… Top affected: US & Germany dashboard.shadowserver.org/statistics/iot…