We are scanning/reporting daily Zimbra Collaboration Suite instances vulnerable to CVE-2025-48700, that can allow unauthorized access to sensitive information. This vulnerability is exploited in the wild and on US CISA KEV. We see over 10.5K IPs unpatched 2026-04-23.

IP data in Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

See https://wiki.zimbra.com/wiki/Security_Center for patch info.

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&data_set=count&scale=log&auto_update=on

CVE-2025-48700 Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

We are also scanning & reporting Microsoft SharePoint CVE-2026-32201 (Improper input validation in SharePoint allows an unauthorized attacker to perform spoofing over a network). This vulnerability is known exploited in the wild & on US CISA KEV. 1370 IPs seen unpatched.

IP data shared in Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&data_set=count&scale=log&auto_update=on

CVE-2026-32201 tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
(Numbers down from 2026-04-15 when we found 1745 unpatched)

This is a version based scan.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201

Thank you to Precursor Security for becoming a Shadowserver Alliance Silver Tier Partner!

Precursor Security delivers pen testing, 24/7 managed SOC, and more. https://www.precursorsecurity.com

Together with our Alliance Partner community, we’ll make the Internet more secure.

We are now scanning daily for CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability) which has recently been added to US CISA KEV.

6364 IPs seen vulnerable on 2026-04-19 based on a version check.

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=activemq&tag=cve-2026-34197%2B&data_set=count&scale=log&auto_update=on

IP data shared in our Accessible ActiveMQ reporting https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/

For Dashboard viewing, select sources 'activemq' and 'cve-2026-34197'

ActiveMQ Security advisory: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Background with details from Horizon3.ai https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/

CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197

NVD CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2026-34197

We’re excited to announce that the Canadian Centre for Cyber Security (CCCS) has increased its annual Shadowserver Alliance Partnership tier from Gold to Diamond! Thank you CCCS for your generous support and for being a valuable and trusted partner in making the Internet more secure.

Become an Alliance Partner today: https://www.shadowserver.org/partner/

Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We fingerprint about 2000 instances globally, see public Dashboard: https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=30&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on

Top affected: US & Germany https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29&data_set=count&scale=log&auto_update=on

Raw IP data shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
If you receive data from us on exposed instances, check for compromise & patch!

Patch info:
CVE-2026-35616 (0day reported by Defused Cyber): https://fortiguard.fortinet.com/psirt/FG-IR-26-099
CVE-2026-21643: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

We added Progress ShareFile fingerprinting to our scans & reports with 784 unique IPs seen exposed on 2026-04-02. watchTowr recently disclosed details behind an RCE CVE-2026-2699 & CVE-2026-2701 exploit chain affecting ShareFile. Make sure to apply the latest patch!

Raw IP data in Device ID reports, with device_vendor set to Progress & device_model to ShareFile: https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/

Thank you to Validin for the collaboration!

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=progress&model=sharefile&data_set=count&scale=log&auto_update=on

Top affected: US, Germany

Note: we are just sharing the exposed population, there is no vulnerability assessment

Patch: https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26

Background: https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/

CVE-2026-2699 NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-2699

CVE-2026-2701 NVD entry:
https://nvd.nist.gov/vuln/detail/CVE-2026-2701

F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE (see: https://my.f5.com/manage/s/article/K000156741) & added to US CISA KEV (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521)

We are fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.

IP data is shared in our Device ID reporting https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/ with device_vendor set to 'F5', device_model set to 'BIG-IP APM'

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on

Dashboard World Map view:
https://dashboard.shadowserver.org/statistics/iot-devices/map/?date_range=1&vendor=f5&model=big-ip+apm&data_set=count&scale=log&auto_update=on

Top affected: US, Japan

If you have APM running on your services/network make sure you are patched & review for any compromise

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-53521