We published a "Shadowserver-in-a-box" platform based on IntelMQ + ELK that can ingest, process and visualize our threat/vulnerability/victim data feeds. Available as a VM or Docker image for free download. Use it for training or in production!

https://github.com/The-Shadowserver-Foundation/training

For usage, you need to request a test API key (or you can use your production API key if you have one already). Please send requests via https://www.shadowserver.org/contact/

Test API key provides access to test/dummy data.

“Shadowserver-in-a-box” development was supported by the cyber capacity building project under the ECOWAS-G7 partnership for cybersecurity, the “Joint Platform for Advancing Cyber Security” (JPAC) in West Africa.

The project was launched by the ECOWAS Commission in collaboration with Germany’s G7 presidency in 2022, commissioned by the German Federal Foreign Office & the European Union Commission in 2023 & implemented by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.

#CyberCivilDefense

We are scanning & reporting daily Wazuh CVE-2026-30893 (CVSS 9.9) vulnerable instances, with over 3500 IPs seen unpatched on 2026-05-10. See advisory & update to latest version: https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787 ...

Worth keeping your security platforms up to date!

IP data for your network/constituency shared in Vulnerable HTTP reporting, tagged 'cve-2026-30893: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Public Dashboard tree map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-30893%2B&data_set=count&scale=log&auto_update=on

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-30893

#CyberCivilDefense #cybersecurity

We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US.

Dashboard World Map: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

CVE-2026-20963 is known exploited in the wild and on US CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963

Check for compromise.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

CVE-2026-20963 Dashboard Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future!

We would like to thank our Alliance partners and Validin for the collaboration making this possible!

Background on investigating ClickFix/ClearFake: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/

Compromised Website Report: https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Dashboard World Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-68613%2B&tag=cve-2025-68668%2B&tag=cve-2026-21858%2B&tag=cve-2026-21877%2B&tag=cve-2026-25053%2B&tag=cve-2026-25056%2B&tag=cve-2026-27495%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=overlap&auto_update=on

Top affected: US, Germany & France.

IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting - https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Latest n8n critical RCE vulns (all covered with above tag):

https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23

If you receive an alert from us, please patch.

World Map view of all n8n vulnerable instances we track: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=n8n%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check).

Patch info: https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9

IP data in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-14500%2B&data_set=count&scale=log&auto_update=on

If you receive an alert from us, please update!

NVD entry: https://nvd.nist.gov/vuln/detail/cve-2025-14500

Background: https://www.zerodayinitiative.com/advisories/ZDI-25-1072/

#CyberCivilDefense

Cisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/

We see over 5.5K Cisco SD-WAN IPs (control plane) (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&model=cisco+sd-wan+%28peering%29&data_set=count&scale=log), & over 270 management interfaces (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&type=device-management&model=cisco+sd-wan&data_set=count&scale=log)

We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/

Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).

Background: https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans

https://blog.talosintelligence.com/uat-8616-sd-wan/

https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

#CyberCivilDefense

Hackers don’t just forecast cyber risk, they demonstrate it.

The DEF CON 33 Hackers’ Almanack report is blunt, technical, and long overdue. The Almanack translates real exploits into a policy roadmap leaders can’t afford to ignore. #CyberCivilDefense #Take9

Read here:
https://harris.uchicago.edu/sites/default/files/the_def_con_33_hackers_almanack.pdf

Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we share - and have for years - data on exposed instances in our Accessible Telnet Report: https://www.shadowserver.org/what-we-do/network-reporting/accessible-telnet-report/

~800K exposed

We have been tweaking the scan the last few days to better weed out non-telnet protocols. Some honeypots may remain.

Telnet should not be publicly exposed, but often is especially on legacy iot devices.

CVE-2025-24061 info & patch: https://seclists.org/oss-sec/2026/q1/89

Dashboard Tree Map view of telnet exposure (no vulnerability assessment): https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=scan&source=scan6&tag=telnet&data_set=count&scale=log&auto_update=on

Like others, we also see exploitation attempts in the wild at scale.

#CyberCivilDefense

We added Fortinet SSL-VPN CVE-2020-12812 to our daily Vulnerable HTTP Report: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

After 5 1/2 years since being published still over 10K Fortinet firewalls remain unpatched. Vuln actively exploited as recently highlighted by Fortinet: https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283

CVE-2020-12812 is also on @cisacyber KEV.

Dashboard World Map view:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2020-12812%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2020-12812%2B&data_set=count&scale=log&auto_update=on

Original Fortinet advisory from July 2020: https://www.fortiguard.com/psirt/FG-IR-19-283

#CyberSecurity #CyberCivilDefense