Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We fingerprint about 2000 instances globally, see public Dashboard: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=30&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on

Top affected: US & Germany https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&data_set=count&scale=log&auto_update=on

Raw IP data shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
If you receive data from us on exposed instances, check for compromise & patch!

Patch info:
CVE-2026-35616 (0day reported by Defused Cyber): https://fortiguard.fortinet.com/psirt/FG-IR-26-099
CVE-2026-21643: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

We added Progress ShareFile fingerprinting to our scans & reports with 784 unique IPs seen exposed on 2026-04-02. watchTowr recently disclosed details behind an RCE CVE-2026-2699 & CVE-2026-2701 exploit chain affecting ShareFile. Make sure to apply the latest patch!

Raw IP data in Device ID reports, with device_vendor set to Progress & device_model to ShareFile: https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/

Thank you to Validin for the collaboration!

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on

Top affected: US, Germany

Note: we are just sharing the exposed population, there is no vulnerability assessment

Patch: https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26

Background: https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/

CVE-2026-2699 NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-2699

CVE-2026-2701 NVD entry:
https://nvd.nist.gov/vuln/detail/CVE-2026-2701

F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE (see: https://my.f5.com/manage/s/article/K000156741) & added to US CISA KEV (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521)

We are fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.

IP data is shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/ with device_vendor set to 'F5', device_model set to 'BIG-IP APM'

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on

Dashboard World Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on

Top affected: US, Japan

If you have APM running on your services/network make sure you are patched & review for any compromise

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-53521

We’re excited to welcome KPN to the Shadowserver Alliance as a bronze tier partner!

KPN is a leading telecommunications and IT provider in the Netherlands. https://www.kpn.com/algemeen/english

Together we will raise the bar on cybersecurity to make the Internet more secure.

Become a Shadowserver Alliance partner today:
https://www.shadowserver.org/partner

Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports.

Raw IP data shared in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ filtered by recipient network/constituency

Top countries running outdated IIS instances: China & USA

EOL IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eol-iis%2B&data_set=count&scale=log&auto_update=on

EOS (beyond ESU) IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eos-iis%2B&data_set=count&scale=log&auto_update=on

More on associated risks & on reducing attack surface from EOL devices from US CISA https://www.cisa.gov/resources-tools/resources/reducing-attack-surface-end-support-edge-devices

MS IIS lifecycle: https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis

MS Extended Security Update program (ESU) https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis

We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US.

Dashboard World Map: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

CVE-2026-20963 is known exploited in the wild and on US CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963

Check for compromise.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

CVE-2026-20963 Dashboard Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future!

We would like to thank our Alliance partners and Validin for the collaboration making this possible!

Background on investigating ClickFix/ClearFake: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/

Compromised Website Report: https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Dashboard World Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption:

shadowserver.org/news/tycoon-...

New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)

https://www.shadowserver.org/what-we-do/network-reporting/info-tycoon-2fa-domains-special-report/

Operation successfully coordinated by Europol, via EC3 Cyber Intelligence Extension Programme (CIEP). Civil legal action by Microsoft DCU

Millions of phishing emails, 96K victims globally

Key domains seized/sinkholed/suspended, thousands of criminal users potentially impacted