Lightnews — Scholar-powered news

The Shadowserver Foundation

@shadowserver.bsky.social

4.7K followers 0 following 690 posts

Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance! https://shadowserver.org/partner

shadowserver.org

Posts Media Videos Starter Packs

Pinned

The Shadowserver Foundation @shadowserver.bsky.social · Nov 11

Using ELK & interested in automating ingestion of our threat intel for your network/constituency?

We have added support for Elasticsearch Custom Logs integration for our free daily reports API.

Check it out at github.com/The-Shadowse...

1 8 16

The Shadowserver Foundation @shadowserver.bsky.social · 1d

Please let us know of any FPs

We are also in the process of expanding Oracle E-Business Suite exposure, which you can track here: dashboard.shadowserver.org/statistics/i...

Time series · IoT device statistics · The Shadowserver Foundation

dashboard.shadowserver.org

The Shadowserver Foundation @shadowserver.bsky.social · 1d

Tree map: dashboard.shadowserver.org/statistics/c...

Tracker: dashboard.shadowserver.org/statistics/c...

If you receive an alert from us, please assume compromise (see also US CISA KEV list)

Patch info from Oracle:
www.oracle.com/security-ale...

Background: www.ncsc.gov.uk/news/active-...

Tree map · General statistics · The Shadowserver Foundation

dashboard.shadowserver.org

The Shadowserver Foundation @shadowserver.bsky.social · 1d

Oracle E-Business Suite incidents: We have added CVE-2025-61882 scanning & reporting with 576 potential vulnerable IPs found on 2025-10-06. Top affected: USA

IP data in www.shadowserver.org/what-we-do/n...

World map view of likely vulnerable instances: dashboard.shadowserver.org/statistics/c...

1 4 6

The Shadowserver Foundation @shadowserver.bsky.social · 3d

You can track CVE-2025-20333 & CVE-2025-20362 vulnerable (unpatched) Cisco ASA/FTD instances here - dashboard.shadowserver.org/statistics/c...

Around ~45K vulnerable seen on 2025-10-04

1 1 6

The Shadowserver Foundation @shadowserver.bsky.social · 8d

More info & background:
US CISA ED-25-03 Identify and Mitigate Potential Compromise of Cisco Devices: www.cisa.gov/news-events/...

#CyberCivilDefense

ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03: Identify and Mitigate Potential

www.cisa.gov

The Shadowserver Foundation @shadowserver.bsky.social · 8d

Tree map view: dashboard.shadowserver.org/statistics/c...

Cisco advisories with patch info:

CVE-2025-20333: sec.cloudapps.cisco.com/security/cen...

CVE-2025-20362:
sec.cloudapps.cisco.com/security/cen...

1 1 2

The Shadowserver Foundation @shadowserver.bsky.social · 8d

Attention!

Cisco ASA/FTD CVE-2025-20333 & CVE-2025-20362 incidents: we are now sharing daily vulnerable Cisco ASA/FTD instances in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...

Over 48.8K unpatched IPs found 2025-09-29. Top affected: US

dashboard.shadowserver.org/statistics/c...

1 4 19

The Shadowserver Foundation @shadowserver.bsky.social · 23d

Dashboard links:

World map distribution of IPs:
dashboard.shadowserver.org/statistics/c...

Tree map view: dashboard.shadowserver.org/statistics/c...

Tracker:
dashboard.shadowserver.org/statistics/c...

#CyberCivilDefense

The Shadowserver Foundation @shadowserver.bsky.social · 23d

To identify these “bad” secrets, we use the badsecrets library from @BlackLanternLLC - github.com/blacklantern...

Please review github.com/blacklantern... for a list of currently supported checks.

Background: blog.blacklanternsecurity.com/p/introducin...

GitHub - blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworks

A library for detecting known secrets across many web frameworks - blacklanternsecurity/badsecrets

github.com

1 2

The Shadowserver Foundation @shadowserver.bsky.social · 23d

Last week we released a new daily report type, "Badsecrets Report": www.shadowserver.org/what-we-do/n... (default severity: HIGH)

It identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. 12168 IPs seen (2025-09-14) using "bad" secrets!

1 2 4

The Shadowserver Foundation @shadowserver.bsky.social · Aug 30

#CyberCivilDefense

1 1

The Shadowserver Foundation @shadowserver.bsky.social · Aug 30

CVE-2025-57819 tracker :
dashboard.shadowserver.org/statistics/c...

Compromised FreePBX tracker:
dashboard.shadowserver.org/statistics/c...

Time series · General statistics · The Shadowserver Foundation

dashboard.shadowserver.org

1 1

The Shadowserver Foundation @shadowserver.bsky.social · Aug 30

Check for compromise, patch - community.freepbx.org/t/security-a...

Raw IP data shared for your network in Vulnerable HTTP reporting www.shadowserver.org/what-we-do/n... tagged 'cve-2025-57819'

and

Compromised Website reporting www.shadowserver.org/what-we-do/n... tagged 'freepbx-compromised'

Security Advisory: Please Lock Down Your Administrator Access

The Sangoma FreePBX Security Team is aware of a potential exploit affecting some systems with the administrator control panel exposed to the public internet, and we are working on a fix, with expected...

community.freepbx.org

1 1

The Shadowserver Foundation @shadowserver.bsky.social · Aug 30

FreePBX CVE-2025-57819 (CVSS 10.0) incidents: 6620 unpatched instances seen 2025-08-29, at least 386 compromised.

Dashboard links:
Vulnerable (unpatched): dashboard.shadowserver.org/statistics/c...

Compromised:
dashboard.shadowserver.org/statistics/c...

1 5 11

The Shadowserver Foundation @shadowserver.bsky.social · Aug 29

Citrix NetScaler CVE-2025-7775 patch rate as seen in our scans:

dashboard.shadowserver.org/statistics/c...

dashboard.shadowserver.org/statistics/c...

Down from 28.2K to 12.4K. Europe patching at faster rate than North America

(toggle overlapping/stacked time series on our Dashboard to compare)

1 4 6

The Shadowserver Foundation @shadowserver.bsky.social · Aug 27

IP data is being shared in our Vulnerable HTTP reporting www.shadowserver.org/what-we-do/n... (tagged 'cve-2025-7775')

If you receive an alert from us investigate for compromise

You can track CVE-2025-7775 patching progress on our Dashboard at: dashboard.shadowserver.org/statistics/c...

CRITICAL: Vulnerable HTTP Report | The Shadowserver Foundation

DESCRIPTION LAST UPDATED: 2025-08-26 DEFAULT SEVERITY LEVEL: CRITICAL This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) service running on some port that may have a vulnera...

www.shadowserver.org

2 1

The Shadowserver Foundation @shadowserver.bsky.social · Aug 27

ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV.

Patch info: support.citrix.com/support-home...

Top affected: US, Germany

Dashboard geo breakdown: dashboard.shadowserver.org/statistics/c...

1 9 10

The Shadowserver Foundation @shadowserver.bsky.social · Aug 20

These services should not be exposed to the public Internet.

#CyberCivilDefense

The Shadowserver Foundation @shadowserver.bsky.social · Aug 20

Breakdown by GTP type (2025-08-19):
GTP-C-v2 with ~255K IPs seen: dashboard.shadowserver.org/statistics/c...

GTP-C-v1 with ~14K IPs seen:
dashboard.shadowserver.org/statistics/c...

GTP-U with ~18K IPs seen:
dashboard.shadowserver.org/statistics/c...

Tree map · General statistics · The Shadowserver Foundation

dashboard.shadowserver.org

The Shadowserver Foundation @shadowserver.bsky.social · Aug 20

We added a new daily scan report type, Accessible GPRS Tunneling Protocol (GTP) services listing IPs with publicly exposed GTP-C (Core) on port 2123/UDP & GTP-U (User) 2152/UDP.

Report format: www.shadowserver.org/what-we-do/n...

Dashboard World map: dashboard.shadowserver.org/statistics/c...

1 2 3

The Shadowserver Foundation @shadowserver.bsky.social · Aug 19

Tree map breakdown by country (2025-08-15):

Cisco:
dashboard.shadowserver.org/statistics/h...

Linksys:
dashboard.shadowserver.org/statistics/h...

Araknis:
dashboard.shadowserver.org/statistics/h...

Tree map · Attacking devices · The Shadowserver Foundation

dashboard.shadowserver.org

1 1

The Shadowserver Foundation @shadowserver.bsky.social · Aug 19

Relevant Dashboard Attacking Devices trends, with device model breakdown:

Cisco: dashboard.shadowserver.org/statistics/h...

Linksys:
dashboard.xn--shadowserver-o19fa.org/statistics/h...

Araknis:
dashboard.shadowserver.org/statistics/h...

1 1 2

The Shadowserver Foundation @shadowserver.bsky.social · Aug 19

We appreciate all feedback on any investigations as a result of our reports, should you receive one for your network. Check for device_vendor set to Cisco, Linksys or Araknis Networks with different device_model fields.

The Shadowserver Foundation @shadowserver.bsky.social · Aug 19

Since July 30th we are seeing an increase in scans coming from ~2200 compromised Cisco Small Business RV series routers, Linksys LRT series & Araknis Networks (AN-300-RT-4L2W). Top affected: US but also many others.

IP data on these scans shared in www.shadowserver.org/what-we-do/n...

1 3 5

The Shadowserver Foundation @shadowserver.bsky.social · Aug 17

Patch info from N-able: status.n-able.com/2025/08/13/a...

Dashboard CVE-2025-8875/8876 tracker link:

dashboard.shadowserver.org/statistics/c...

#CyberCivilDefense

Announcing the GA of N-central 2025.3.1

We are excited to announce that N-central 2025.3 is now Generally Available. Please use the following links for Release Notes and download: Release Notes 2025.3.1 2025.3.1 Download link(login requi…

status.n-able.com