The Shadowserver Foundation

Using ELK & interested in automating ingestion of our threat intel for your network/constituency via our API? We have introduced an ECS logging script for our intelligence reports. This script uses Redis to queue events for Logstash. Check it out at github.com/The-Shadowserv…

The project was launched by the ECOWAS Commission in collaboration with Germany’s G7 presidency in 2022, commissioned by the German Federal Foreign Office & the European Union Commission in 2023 & implemented by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.

Development was supported by the cyber capacity building project under the ECOWAS-G7 partnership for cybersecurity, the “Joint Platform for Advancing Cyber Security” (JPAC) in West Africa. @ecowas_cedeao @G7 @EU_Commission @GermanyDiplo @giz_gmbh

We published a "Shadowserver-in-a-box" platform based on IntelMQ + ELK that can ingest, process and visualize our threat/vulnerability/victim data feeds. Available as a VM or Docker image for free download. Use it for training or in production! github.com/The-Shadowserv…

IP data for your network/constituency shared in Vulnerable HTTP reporting, tagged 'cve-2026-30893: shadowserver.org/what-we-do/net… Public Dashboard tree map view: dashboard.shadowserver.org/statistics/com… NVD entry: nvd.nist.gov/vuln/detail/CV… #CyberCivilDefense

We are scanning & reporting daily Wazuh CVE-2026-30893 (CVSS 9.9) vulnerable instances, with over 3500 IPs seen unpatched on 2026-05-10. See advisory & update to latest version: github.com/wazuh/wazuh/se… ... Worth keeping your security platforms up to date!

Raw IP data in our Vulnerable HTTP reporting shadowserver.org/what-we-do/net… tagged 'cve-2026-6973' Public Dashboard tree map overview of vulnerable instances: dashboard.shadowserver.org/statistics/com… CVE-2026-6973 patch tracker: dashboard.shadowserver.org/statistics/com…

We are tagging CVE-2026-6973 Ivanti EPMM instances seen in our daily scans. 362 IPs seen unpatched on 2026-05-10, down from 562 IPs on 2026-05-08 when we first added the detection. See Ivanti advisory for details - hub.ivanti.com/s/article/May-… CVE-2026-6973 is on @CISACyber KEV.

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: support.cpanel.net/hc/en-us/artic… See Public Dashboard for stats: dashboard.shadowserver.org/statistics/hon…

- Honeypot Brute Force Events Report shadowserver.org/what-we-do/net… You can also find exposed cPanel/WHM instances in our Device ID reporting with ~650K IPs seen hosting dashboard.shadowserver.org/statistics/iot…

You can find likely newly compromised instances in our honeypot based reports with cPanel set in the device_vendor of the attacking device - Darknet Events Report shadowserver.org/what-we-do/net… - Honeypot HTTP Scanner Events Report shadowserver.org/what-we-do/net…

IP data in Vulnerable HTTP reporting: shadowserver.org/what-we-do/net… See wiki.zimbra.com/wiki/Security_… for patch info. Dashboard World Map view: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com… CVE-2025-48700 Tracker: dashboard.shadowserver.org/statistics/com…

We are scanning/reporting daily Zimbra Collaboration Suite instances vulnerable to CVE-2025-48700, that can allow unauthorized access to sensitive information. This vulnerability is exploited in the wild and on @CISACyber KEV. We see over 10.5K IPs unpatched 2026-04-23.

At #iWeek2026, Andy Chadwick from @Shadowserver joined us to share how their nonprofit foundation provides world-class threat intelligence at no cost to network operators and ISPs.

This is a version based scan. Microsoft Advisory: msrc.microsoft.com/update-guide/e…

IP data shared in Vulnerable HTTP reporting: shadowserver.org/what-we-do/net… Dashboard World Map view: dashboard.shadowserver.org/statistics/com… Dashboard Tree Map view: dashboard.shadowserver.org/statistics/com… CVE-2026-32201 tracker: dashboard.shadowserver.org/statistics/com… Numbers down from 2026-04-15 when we found 1745 unpatched.

We are also scanning & reporting Microsoft SharePoint CVE-2026-32201 (Improper input validation in SharePoint allows an unauthorized attacker to perform spoofing over a network). This vulnerability is known exploited in the wild & on @CISACyber KEV. 1370 IPs seen unpatched.

Thank you to Precursor Security for becoming a Shadowserver Alliance Silver Tier Partner! @PrecurSec delivers pen testing, 24/7 managed SOC, and more. precursorsecurity.com Together with our Alliance Partner community, we’ll make the Internet more secure.