Nostr notes by The Shadowserver Foundation

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at ...

2026-05-01T13:47:17Z

Attention!

cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

See Public Dashboard for stats: https://dashboard.shadowserver.org/statistics/honeypot/device/tree/?date_range=1&vendor=cpanel&data_set=count&scale=log&auto_update=on

44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.

https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=7&vendor=cpanel&dataset=unique_ips&limit=100&group_by=vendor&stacking=stacked&auto_update=on

You can find likely newly compromised instances in our honeypot based reports with cPanel set in the device_vendor of the attacking device

- Darknet Events Report https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/
- Honeypot HTTP Scanner Events Report
https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/

- Honeypot Brute Force Events Report
https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/

You can also find exposed cPanel/WHM instances in our Device ID reporting with ~650K IPs seen hosting https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=cpanel&dataset=count&limit=1000&group_by=geo&stacking=stacked&auto_update=on

We added a feed of IPs/websites with ClickFix/ClearFake injected ...

2026-03-15T16:05:55Z

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future!

We would like to thank our Alliance partners and Validin for the collaboration making this possible!

Background on investigating ClickFix/ClearFake: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/

Compromised Website Report: https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Dashboard World Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

Iran Internet blackout visualized on our Public Dashboard - drop ...

2026-01-13T11:03:05Z

Iran Internet blackout visualized on our Public Dashboard - drop to near zero exposure after 2026-01-08 in scan and sinkhole telemetry:

Scan results: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=population&source=population6&source=scan&source=scan6&geo=IR&geo=IQ&geo=PK&geo=SA&geo=TR&dataset=unique_ips&limit=100&group_by=geo&stacking=overlap&auto_update=on

Sinkhole results:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=sinkhole&source=sinkhole6&source=sinkhole_dns&geo=IR&geo=IQ&geo=PK&geo=SA&geo=TR&dataset=unique_ips&limit=100&group_by=geo&stacking=overlap&auto_update=on

MongoBleed update: We added MongoDB CVE-2025-14847 tagging today ...

2025-12-29T19:37:19Z

MongoBleed update: We added MongoDB CVE-2025-14847 tagging today that is version based. This results in 74,854 possibly unpatched versions (out of 78,725 exposed today). IP data on vulnerable instances shared in our Open MongoDB Report: https://www.shadowserver.org/what-we-do/network-reporting/open-mongodb-report/

Note FPs on CVE-2025-14847 tagging may be possible due to backporting patches without bumping versions.

IP data on exposed instances is shared daily since Feb 2015!

To view exposed info on Dashboard select source 'scan' 'scan6' & tag 'mongodb' https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=scan&source=scan6&tag=mongodb&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Advisory & patch details on CVE-2025-14847 can be found at https://jira.mongodb.org/browse/SERVER-115508

If you receive an alert from us, check for compromise!

Upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.

Proud to once again support our LE partners in Operation Endgame ...

2025-11-13T10:12:55Z

Proud to once again support our LE partners in Operation Endgame Season 3

86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12

More details:
https://shadowserver.org/news/rhadamanthys-historical-bot-infections-special-report/

Latest Operation Endgame S03E01 video "STICKY FINGERS":
https://operation-endgame.com

Europol Press Release:
https://europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

Rhadamanthys Historic Bot Victims Special Report technical details:
https://shadowserver.org/what-we-do/network-reporting/rhadamanthys-historical-bot-infections-special-report/

You can track CVE-2025-20333 & CVE-2025-20362 vulnerable ...

2025-10-05T09:59:01Z

In reply to nevent1q…vldq
_________________________

You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-20333%2B&tag=cve-2025-20362%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Around ~45K vulnerable seen on 2025-10-04

Attention! Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 ...

2025-09-30T09:19:38Z

Attention!

Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now reporting daily vulnerable Cisco ASA/FTD instances in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Over 48.8K unpatched IPs found on 2025-09-29. Top affected: US

World map view of unpatched IPs: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-20333%2B&tag=cve-2025-20362%2B&data_set=count&scale=log&auto_update=on

Tree map view of unpatched IPs:

https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-20333%2B&tag=cve-2025-20362%2B&data_set=count&scale=log&auto_update=on

Advisory from Cisco:

CVE-2025-20333: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

CVE-2025-20362: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW

More info: US CISA Emergency Directive Identify and Mitigate Potential Compromise of Cisco Devices: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

#CyberCivilDefense

(thanks also to Kevin Beaumont (npub1lcc…lcye) for confirmation of the detection methodology!)

Citrix NetScaler CVE-2025-7775 patch rate as seen in our scans: ...

2025-08-29T13:23:51Z

In reply to nevent1q…uw7r
_________________________

Citrix NetScaler CVE-2025-7775 patch rate as seen in our scans:

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=overlap&auto_update=on

Now down from 28.2K to 12.4K. Europe patching at a faster rate than North America ...

(you can toggle overlapping/stacked time series on our Dashboard to compare)

ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were ...

2025-08-27T11:19:56Z

ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV list addition.

Patch info from Citrix: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938

Top affected: US, Germany

Dashboard geo breakdown: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&data_set=count&scale=log&auto_update=on

IP data is being shared in our Vulnerable HTTP reporting https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ (tagged 'cve-2025-7775')

If you receive an alert from us investigate for compromise

You can track CVE-2025-7775 patching progress on our Dashboard at: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

We are also scanning for Ivanti EPMM instances likely vulnerable ...

2025-05-19T10:46:29Z

We are also scanning for Ivanti EPMM instances likely vulnerable (unpatched) to CVE-2025-4427 which can be chained with CVE-2025-4428 for RCE.

First scans found 940 instances (2025-05-15), down to 798 (2025-05-18).

Geo breakdown: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-4427%2B&data_set=count&scale=log&auto_update=on

IP data in https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ tagged as 'cve-2025-4427'.

Detection is based on non-intrusive check provided by watchTowr (npub1r4a…u230)

CVE-2025-4427 tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-4427%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

If you receive an alert, please make sure to review for any compromise - CVE-2025-4427/CVE-2025-4428 are exploited in the wild.

Patch info from Ivanti: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&_gl=1*1ylgtgu*_gcl_au*MTg5MTk4MDIzMC4xNzQ3MTU3OTQ1

Background on vulnerabilities:
https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/

We started scanning for IoT devices compromised by the ...

2025-03-04T11:28:40Z

We started scanning for IoT devices compromised by the Eleven11bot DDoS botnet, with ~86.4K discovered on 2025-03-02. IP data is shared daily in our Compromised IoT report https://www.shadowserver.org/what-we-do/network-reporting/compromised-iot-report/

Top affected: US (24.7K), UK (10.8K).

Dashboard map view: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-03-03&source=compromised_iot&tag=eleven11bot%2B&geo=all&data_set=count&scale=log

For background, please see Nokia Deepfield Emergency Response Team (ERT) Deepfield (npub1vc3…78jp) announcement: https://infosec.exchange/@deepfield/114086567369833954

Dashboard breakdown by US state:

https://dashboard.shadowserver.org/statistics/combined/map/region/?map_type=std&day=2025-03-03&source=compromised_iot&geo=US&scale=log

We are sharing backdoored Ivanti Connect Secure devices that ...

2025-01-23T20:07:57Z

We are sharing backdoored Ivanti Connect Secure devices that *may* have been compromised as part of a CVE-2025-0282 exploitation campaign (but also we believe may include older or other activity).

379 new backdoored instances found on 2025-01-22:
https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-22&source=compromised_website&source=compromised_website6&tag=cve-2025-0282%2B&geo=all&data_set=count&scale=log

Data shared daily in our Compromised Website report https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ tagged 'backdoor;ivanti-connect-secure'

Dashboard tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=compromised_website&source=compromised_website6&tag=backdoor%2B&dataset=unique_ips&limit=1000&group_by=geo&style=stacked

Make sure to investigate your Ivanti Connect Secure instance if you receive an alert from us! CISA Cyber (npub1e4q…v25r) mitigation advice is a good start https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282

Thank you to Traficomin Kyberturvallisuuskeskus (npub1duv…vh97) for the insights and detection methods!

We are sharing daily results of Fortinet CVE-2024-55591 (auth ...

2025-01-20T12:45:42Z

We are sharing daily results of Fortinet CVE-2024-55591 (auth bypass) vulnerable instances in our Vulnerable HTTP report - https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

CVE-2024-55591 is known to be exploited in the wild & on CISA Cyber (npub1e4q…v25r) KEV.

Around 50K found vulnerable: Around 50K found vulnerable: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log

Our test is based on the methodology published by
@watchtowrcyber
https://github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591/blob/main/CVE-2024-55591-check.py - thank you!

CVE-2024-55591 vulnerability tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&dataset=unique_ips&group_by=geo&style=stacked

Fortinet advisory: https://fortiguard.com/psirt/FG-IR-24-535

Make sure to check for signs of compromise!

Additional background: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Current Ivanti Connect Secure CVE-2025-0282 scanning results: ...

2025-01-13T13:15:34Z

In reply to nevent1q…f959
_________________________

Current Ivanti Connect Secure CVE-2025-0282 scanning results: around 800 exposed unpatched devices (IPs) seen as of 2025-01-12 (drop from around 2000 seen 2025-01-09)

CVE-2025-0282 vulnerability tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-0282%2B&dataset=unique_ips&style=stacked

We have started reporting unpatched Ivanti Connect Secure ...

2025-01-10T08:42:22Z

We have started reporting unpatched Ivanti Connect Secure instances likely vulnerable to the new known to be exploited in the wild CVE-2025-0282.

We see 2048 likely vulnerable instances worldwide on 2025-01-09. Top: US

Dashboard overview by country: https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-09&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-0282%2B&geo=all&data_set=count&scale=log

Vulnerable IP data is shared daily for your network/constituency in our https://shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ tagged 'cve-2025-0282'

If you receive an alert from us, make sure to follow CISA Cyber (npub1e4q…v25r) mitigation instructions: https://cisa.gov/cisa-mitigation-instructions-cve-2025-0282

Ivanti patch info: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

Thank you to watchTowr (npub1r4a…u230) for the insights and collaboration!

We are seeing large numbers of sources scanning for RDP services ...

2024-12-13T11:17:40Z

We are seeing large numbers of sources scanning for RDP services - especially port 1098/TCP (!) - in our honeypot sensors last 2 weeks (up to 740 000 (!) distinct source IPs daily, incl up to 405 000 from Brazil).

Tracker: https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=30&type=rdp-scan&geo=BR&dataset=unique_ips&limit=1000&group_by=geo&style=stacked

Map of source IPs (2024-12-03): https://dashboard.shadowserver.org/statistics/honeypot/device/map/?day=2024-12-03&type=rdp-scan&geo=all&data_set=count&scale=log

Make sure to limit unnecessary exposure of RDP and enable MFA.

Note recent MS patch Tuesday had multiple fixes for RDP vulnerabilities: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128

We observe many MikroTik routers behind the probes, but these could be other devices/residential proxies behind the routers

Source IPs by device type (in cases where we are able to identify the device type): https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=30&type=rdp-scan&dataset=unique_ips&limit=1000&group_by=vendor&style=stacked

We share data on the source IPs doing the scans in our Honeypot RDP Scanner Events report https://shadowserver.org/what-we-do/network-reporting/honeypot-rdp-scanner-events-report/

The file name for that report is event4_honeypot_rdp_scan

Insights welcome!

Palo Alto Networks has now updated their advisory ...

2024-11-15T11:59:16Z

In reply to nevent1q…r90w
_________________________

Palo Alto Networks has now updated their advisory https://security.paloaltonetworks.com/PAN-SA-2024-0015 saying they have "observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet."

We see a drop in exposed PAN-OS Management Interfaces (down by around 2K from previously shared observations), currently at 8726 IPs

Get these Interfaces off public Internet access NOW!

PAN-OS Management Interface tracker: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=palo+alto+networks&model=pan-os+management+interface&dataset=count&limit=1000&group_by=geo&style=stacked

We have observed D-Link NAS CVE-2024-10914 ...

2024-11-13T09:52:48Z

We have observed D-Link NAS CVE-2024-10914 /cgi-bin/account_mgr.cgi command injection exploitation attempts starting Nov 12th. This vuln affects EOL/EOS devices, which should be removed from the Internet: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413

We see ~1100 exposed.

https://dashboard.shadowserver.org/statistics/iot-devices/tree/?day=2024-11-12&vendor=d-link&type=nas&geo=all&data_set=count&scale=log

We share IP data on exposed D-Link NAS instances for your network/constituency in our Device ID reports (vendor D-Link, type: nas): https://shadowserver.org/what-we-do/network-reporting/device-identification-report/

D-Link NAS exposure tracker https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=d-link&type=nas&model=sharecenter&dataset=count&limit=1000&group_by=geo&style=stacked

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-10914

Palo Alto Networks published an advisory on 2024-11-08 warning of ...

2024-11-11T15:35:52Z

Palo Alto Networks published an advisory on 2024-11-08 warning of a claim of an RCE via the PAN-OS management interface. While no exploitation activity has yet been observed, we added fingerprinting for exposed PAN-OS mgmt interfaces in our Device ID report to warn recipients of potential attack surface exposure.

We see around 11K IPs exposed (2024-11-10 scan).

You can view exposure on our Dashboard selecting "IoT device statistics" in the top nav bar and setting vendor to "Palo Alto Networks" and model to "PAN-OS Management Interface"

World map view: https://dashboard.shadowserver.org/statistics/iot-devices/map/?day=2024-11-10&vendor=palo+alto+networks&model=pan-os+management+interface&geo=all&data_set=count&scale=log

PAN-OS mgmt exposure tracker:
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=palo+alto+networks&model=pan-os+management+interface&dataset=count&limit=1000&group_by=geo&style=stacked

IP data is now shared daily in our Device ID report https://shadowserver.org/what-we-do/network-reporting/device-identification-report/

Palo Alto Networks security alert advisory https://security.paloaltonetworks.com/PAN-SA-2024-0015

Guidance on "How to Secure the Management Access of Your Palo Alto Networks Device" by Palo Alto Networks: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

PAN-OS Management Exposure by US state:
https://dashboard.shadowserver.org/statistics/iot-devices/map/?day=2024-11-10&vendor=palo+alto+networks&model=pan-os+management+interface&geo=all&data_set=count&scale=log

We started seeing some Progress WhatsUp Gold CVE-2024-6670 (CVSS ...

2024-09-03T08:44:48Z

We started seeing some Progress WhatsUp Gold CVE-2024-6670 (CVSS 9.8) SQLi exploit attempts against our honeypot sensors that match recently published PoC (/NmConsole/Platform/PerformanceMonitorErrors/HasErrors endpoint)

Progress advisory & patch info: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024