Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports.

Raw IP data shared in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ filtered by recipient network/constituency

Top countries running outdated IIS instances: China & USA

EOL IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eol-iis%2B&data_set=count&scale=log&auto_update=on

EOS (beyond ESU) IIS Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=eos-iis%2B&data_set=count&scale=log&auto_update=on

More on associated risks & on reducing attack surface from EOL devices from US CISA https://www.cisa.gov/resources-tools/resources/reducing-attack-surface-end-support-edge-devices

MS IIS lifecycle: https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis

MS Extended Security Update program (ESU) https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis

We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US.

Dashboard World Map: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

Vulnerable IPs (tagged 'cve-2026-20963') shared daily in our Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

CVE-2026-20963 is known exploited in the wild and on US CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-20963

Check for compromise.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963

CVE-2026-20963 Dashboard Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-20963%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We added a feed of IPs/websites with ClickFix/ClearFake injected code in our Compromised Website reporting, tagged as 'clickfix'. Visitors of the website get tricked to install malware when injected JavaScript executes. If you receive an alert review for root cause of compromise!

657 instances shared for 2026-03-14. We expect to increase the volume of the feed in the future!

We would like to thank our Alliance partners and Validin for the collaboration making this possible!

Background on investigating ClickFix/ClearFake: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/

Compromised Website Report: https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Dashboard World Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view of infected IPs:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=clickfix&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption:

shadowserver.org/news/tycoon-...

New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)

https://www.shadowserver.org/what-we-do/network-reporting/info-tycoon-2fa-domains-special-report/

Operation successfully coordinated by Europol, via EC3 Cyber Intelligence Extension Programme (CIEP). Civil legal action by Microsoft DCU

Millions of phishing emails, 96K victims globally

Key domains seized/sinkholed/suspended, thousands of criminal users potentially impacted

We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-68613%2B&tag=cve-2025-68668%2B&tag=cve-2026-21858%2B&tag=cve-2026-21877%2B&tag=cve-2026-25053%2B&tag=cve-2026-25056%2B&tag=cve-2026-27495%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=overlap&auto_update=on

Top affected: US, Germany & France.

IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting - https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Latest n8n critical RCE vulns (all covered with above tag):

https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869
https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr
https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23

If you receive an alert from us, please patch.

World Map view of all n8n vulnerable instances we track: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=n8n%2B&data_set=count&scale=log&auto_update=on

#CyberCivilDefense

We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check).

Patch info: https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9

IP data in https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-14500%2B&data_set=count&scale=log&auto_update=on

If you receive an alert from us, please update!

NVD entry: https://nvd.nist.gov/vuln/detail/cve-2025-14500

Background: https://www.zerodayinitiative.com/advisories/ZDI-25-1072/

#CyberCivilDefense

Cisco SD-WAN incidents: we are sharing information on identified Cisco SD-WAN instances in Device ID reporting - https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/

We see over 5.5K Cisco SD-WAN IPs (control plane) (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&model=cisco+sd-wan+%28peering%29&data_set=count&scale=log), & over 270 management interfaces (https://dashboard.shadowserver.org/statistics/iot-devices/tree/?date_range=1&vendor=cisco&type=device-management&model=cisco+sd-wan&data_set=count&scale=log)

We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/

Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).

Background: https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans

https://blog.talosintelligence.com/uat-8616-sd-wan/

https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

#CyberCivilDefense

Thanks to collaboration with the Canadian Centre for Cyber Security we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised.

Dashboard Victim overview (Tree map) https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&data_set=count&scale=log&auto_update=on

IP data in our Compromised Website report, tagged 'freepbx-compromised' - https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Compromised FreePBX tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=compromised_iot&source=compromised_website&source=compromised_website6&tag=freepbx-compromised%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

These compromises are likely via CVE-2025-64328

Additional background from Fortinet: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp