We published a "Shadowserver-in-a-box" platform based on IntelMQ + ELK that can ingest, process and visualize our threat/vulnerability/victim data feeds. Available as a VM or Docker image for free download. Use it for training or in production!

https://github.com/The-Shadowserver-Foundation/training

For usage, you need to request a test API key (or you can use your production API key if you have one already). Please send requests via https://www.shadowserver.org/contact/

Test API key provides access to test/dummy data.

“Shadowserver-in-a-box” development was supported by the cyber capacity building project under the ECOWAS-G7 partnership for cybersecurity, the “Joint Platform for Advancing Cyber Security” (JPAC) in West Africa.

The project was launched by the ECOWAS Commission in collaboration with Germany’s G7 presidency in 2022, commissioned by the German Federal Foreign Office & the European Union Commission in 2023 & implemented by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.

#CyberCivilDefense

We are scanning & reporting daily Wazuh CVE-2026-30893 (CVSS 9.9) vulnerable instances, with over 3500 IPs seen unpatched on 2026-05-10. See advisory & update to latest version: https://github.com/wazuh/wazuh/security/advisories/GHSA-m8rw-v4f6-8787 ...

Worth keeping your security platforms up to date!

IP data for your network/constituency shared in Vulnerable HTTP reporting, tagged 'cve-2026-30893: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Public Dashboard tree map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-30893%2B&data_set=count&scale=log&auto_update=on

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-30893

#CyberCivilDefense #cybersecurity

We are tagging CVE-2026-6973 Ivanti EPMM instances seen in our daily scans. 362 IPs seen unpatched on 2026-05-10, down from 562 IPs on 2026-05-08 when we first added the detection. See Ivanti advisory for details - https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US

CVE-2026-6973 is on US CISA KEV.

Raw IP data in our Vulnerable HTTP reporting https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ tagged 'cve-2026-6973'

Public Dashboard tree map overview of vulnerable instances:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-6973%2B&data_set=count&scale=log&auto_update=on

CVE-2026-6973 patch tracker:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-6973%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Attention!

cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

See Public Dashboard for stats: https://dashboard.shadowserver.org/statistics/honeypot/device/tree/?date_range=1&vendor=cpanel&data_set=count&scale=log&auto_update=on

44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.

https://dashboard.shadowserver.org/statistics/honeypot/device/time-series/?date_range=7&vendor=cpanel&dataset=unique_ips&limit=100&group_by=vendor&stacking=stacked&auto_update=on

You can find likely newly compromised instances in our honeypot based reports with cPanel set in the device_vendor of the attacking device

- Darknet Events Report https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/
- Honeypot HTTP Scanner Events Report
https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/

- Honeypot Brute Force Events Report
https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/

You can also find exposed cPanel/WHM instances in our Device ID reporting with ~650K IPs seen hosting https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=cpanel&dataset=count&limit=1000&group_by=geo&stacking=stacked&auto_update=on

We are scanning/reporting daily Zimbra Collaboration Suite instances vulnerable to CVE-2025-48700, that can allow unauthorized access to sensitive information. This vulnerability is exploited in the wild and on US CISA KEV. We see over 10.5K IPs unpatched 2026-04-23.

IP data in Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

See https://wiki.zimbra.com/wiki/Security_Center for patch info.

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&data_set=count&scale=log&auto_update=on

CVE-2025-48700 Tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-48700%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

We are also scanning & reporting Microsoft SharePoint CVE-2026-32201 (Improper input validation in SharePoint allows an unauthorized attacker to perform spoofing over a network). This vulnerability is known exploited in the wild & on US CISA KEV. 1370 IPs seen unpatched.

IP data shared in Vulnerable HTTP reporting: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

Dashboard World Map view: https://dashboard.shadowserver.org/statistics/combined/map/?date_range=1&map_type=std&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&data_set=count&scale=log&auto_update=on

Dashboard Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&data_set=count&scale=log&auto_update=on

CVE-2026-32201 tracker: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2026-32201%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
(Numbers down from 2026-04-15 when we found 1745 unpatched)

This is a version based scan.

Microsoft Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201

Thank you to Precursor Security for becoming a Shadowserver Alliance Silver Tier Partner!

Precursor Security delivers pen testing, 24/7 managed SOC, and more. https://www.precursorsecurity.com

Together with our Alliance Partner community, we’ll make the Internet more secure.

We are now scanning daily for CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability) which has recently been added to US CISA KEV.

6364 IPs seen vulnerable on 2026-04-19 based on a version check.

Dashboard Tree Map view:
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=activemq&tag=cve-2026-34197%2B&data_set=count&scale=log&auto_update=on

IP data shared in our Accessible ActiveMQ reporting https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/

For Dashboard viewing, select sources 'activemq' and 'cve-2026-34197'

ActiveMQ Security advisory: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Background with details from Horizon3.ai https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/

CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197

NVD CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2026-34197