We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US.

Dashboard World Map: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

CVE-2026-20963 is known exploited in the wild and on US CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963

Check for compromise.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

CVE-2026-20963 Dashboard Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future!

We would like to thank our Alliance partners and Validin for the collaboration making this possible!

Background on investigating ClickFix/ClearFake: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/

Compromised Website Report: https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Dashboard World Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-68613%2B&tag=cve-2025-68668%2B&tag=cve-2026-21858%2B&tag=cve-2026-21877%2B&tag=cve-2026-25053%2B&tag=cve-2026-25056%2B&tag=cve-2026-27495%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=overlap&auto_update=on

Top affected: US, Germany & France.

IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting - https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Latest n8n critical RCE vulns (all covered with above tag):

https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23

If you receive an alert from us, please patch.

World Map view of all n8n vulnerable instances we track: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=n8n%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check).

Patch info: https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9

IP data in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-14500%2B&data_set=count&scale=log&auto_update=on

If you receive an alert from us, please update!

NVD entry: https://nvd.nist.gov/vuln/detail/cve-2025-14500

Background: https://www.zerodayinitiative.com/advisories/ZDI-25-1072/

#CyberCivilDefense

Cisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/

We see over 5.5K Cisco SD-WAN IPs (control plane) (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&model=cisco+sd-wan+%28peering%29&data_set=count&scale=log), & over 270 management interfaces (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&type=device-management&model=cisco+sd-wan&data_set=count&scale=log)

We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/

Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).

Background: https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans

https://blog.talosintelligence.com/uat-8616-sd-wan/

https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

#CyberCivilDefense

Hackers don’t just forecast cyber risk, they demonstrate it.

The DEF CON 33 Hackers’ Almanack report is blunt, technical, and long overdue. The Almanack translates real exploits into a policy roadmap leaders can’t afford to ignore. #CyberCivilDefense #Take9

Read here:
https://harris.uchicago.edu/sites/default/files/the_def_con_33_hackers_almanack.pdf

Regarding CVE-2026-24061 in GNU InetUtils telnetd: while we are not scanning for it explicitly (due to current lack of ability to check in a safe way, we share - and have for years - data on exposed instances in our Accessible Telnet Report: https://www.shadowserver.org/what-we-do/network-reporting/accessible-telnet-report/

~800K exposed

We have been tweaking the scan the last few days to better weed out non-telnet protocols. Some honeypots may remain.

Telnet should not be publicly exposed, but often is especially on legacy iot devices.

CVE-2025-24061 info & patch: https://seclists.org/oss-sec/2026/q1/89

Dashboard Tree Map view of telnet exposure (no vulnerability assessment): https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=scan&source=scan6&tag=telnet&data_set=count&scale=log&auto_update=on

Like others, we also see exploitation attempts in the wild at scale.

#CyberCivilDefense

We added Fortinet SSL-VPN CVE-2020-12812 to our daily Vulnerable HTTP Report: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

After 5 1/2 years since being published still over 10K Fortinet firewalls remain unpatched. Vuln actively exploited as recently highlighted by Fortinet: https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283

CVE-2020-12812 is also on @cisacyber KEV.

Dashboard World Map view:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2020-12812%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2020-12812%2B&data_set=count&scale=log&auto_update=on

Original Fortinet advisory from July 2020: https://www.fortiguard.com/psirt/FG-IR-19-283

#CyberSecurity #CyberCivilDefense

Attention! We are scanning & reporting WatchGuard Firebox devices unpatched to CVE-2025-14733 (Out of Bounds Write Vulnerability, unauthenticated RCE, CVSS 9.8). Nearly 125 000 IPs found (2025-12-20): https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=isakmp_vulnerable&source=isakmp_vulnerable6&tag=cve-2025-14733%2B&data_set=count&scale=log&auto_update=on

WatchGuard Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027

We share daily IP data in our Vulnerable ISAKMP Report, tagged 'cve-2025-14733': https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-isakmp-report/

CVE-2025-14733 is reported exploited in the wild & on @cisacyber KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14733

If you receive a report from us, check for signs of compromise as well

Most affected (most unpatched IPs): US (38.3K), Germany (14K), Italy (12.3K)

CVE-2025-14733 World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=other_value&day=2025-12-20&map_type=std&source=isakmp_vulnerable&source=isakmp_vulnerable6&tag=cve-2025-14733%2B&data_set=count&scale=log&auto_update=on

CVE-2025-14733 Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=isakmp_vulnerable&source=isakmp_vulnerable6&tag=cve-2025-14733%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

#CyberCivilDefense #CyberSecurity