Media Coverage

In 2025, VulnCheck identified 884 Known Exploited Vulnerabilities (KEVs) for which evidence of exploitation was observed for the first time. Our analysis shows that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, an increase from the 23.6% observed in our 2024 trends in exploitation report, highlighting the continued prevalence of both zero-day and n-day exploitation. 2025, exploitation evidence was first reported by over 100 unique organizations, including security researchers, cybersecurity vendors, and software suppliers. These trends demonstrate that exploitation speed remains consistently high year over year, and that defenders must prioritize visibility into exploited vulnerabilities with timely remediation in order to keep pace with attackers.

Transparency in exploitation disclosure is critical, as it enables consumers to better understand who first reported exploitation and to assess the level of trust they place in each source. Shadowserver remained the leading source for first-to-report exploitation evidence.

Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago. The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters.

Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots. VulnCheck told BleepingComputer that the technique captured by Shadowserver does not appear to have been publicly documented.

Over 10,000 Fortinet firewalls worldwide remain vulnerable to CVE-2020-12812, a multi-factor authentication (MFA) bypass flaw disclosed over five and a half years ago. Shadowserver recently added the issue to its daily Vulnerable HTTP Report, highlighting persistent exposure amid active exploitation confirmed by Fortinet in late 2025.​ Shadowserver’s scans confirm the flaw’s persistence, scanning for vulnerable HTTP services on exposed ports. Shadowserver’s dashboard reveals over 10,000 vulnerable instances as of early January 2026. The United States dominates with 1.3K exposed firewalls, followed by Thailand (909), Taiwan (728), Japan (462), and China (462).

The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks.

A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell.

A critical vulnerability in MongoDB Server is putting tens of thousands of databases worldwide at risk. Dubbed MongoBleed and tracked as CVE-2025-14847, this high-severity flaw allows unauthenticated attackers to remotely extract sensitive data from server memory without credentials.

The Shadow Server Foundation disclosed updated findings showing 74,854 potentially unpatched MongoDB versions among 78,725 exposed instances detected today. In a post on X, The Shadowserver Foundation warned that the combination of publicly available exploits, more than 70,000 exposed instances, and confirmed active exploitation makes urgent action essential.

A critical security vulnerability in WatchGuard Firebox devices has left approximately 125,000 internet-exposed systems susceptible to unauthenticated remote code execution attacks. The Shadowserver Foundation identified 124,847 vulnerable IP addresses during scanning operations conducted on December 20, 2025. Shadowserver’s scanning infrastructure detected vulnerable devices across multiple geographic regions, with concentrations in North America, Europe, and Asia-Pacific. Security teams can access detailed vulnerability statistics through Shadowserver’s interactive dashboard, which provides real-time tracking of exposed devices.

The Shadowserver Foundation has identified over 25,000 internet-facing Fortinet devices globally with FortiCloud Single Sign-On (SSO) functionality enabled, raising concerns about potential exposure to critical authentication bypass vulnerabilities. The non-profit security organization recently added fingerprinting capabilities for these systems to its Device Identification reporting service, alerting network administrators to verify their security posture immediately.

Shadowserver’s latest scan results reveal at least 25,000 IP addresses worldwide hosting Fortinet devices configured with FortiCloud SSO enabled. Organizations receiving exposure notifications from Shadowserver are urged to verify their patch status and implement security updates without delay.

Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million.

Operation Sentinel was made possible through close coordination with INTERPOL’s private sector partners Team Cymru, The Shadowserver Foundation, Trend Micro, TRM Labs and Uppsala Security. Partnerships with private sectors provided critical technical support in tracing IP addresses utilized at various stages of the ransomware attack lifecycle and sextortion schemes, as well as assisting in freezing illicit financial assets.

Operation Sentinel was held under the umbrella of the African Joint Operation against Cybercrime (AFJOC), funded by the United Kingdom’s Foreign, Commonwealth and Development Office, and through the Global Action on Cybercrime Enhanced project (GLACY-e), a joint project of the European Union and the Council of Europe.

On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.” Shadowserver has a page where it’s tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, named officially as CVE-2025-20393.

Security researchers warn that hundreds of already compromised Next.js devices are hitting honeypots, while tens of thousands of servers remain vulnerable to the critical React vulnerability (CVE-2025-55182). According to the ShadowServer Foundation, a nonprofit security organization, attacks from bot-compromised Next.js assets spiked last Friday, increasing from the usual 100 IP baseline to nearly 1,000.

Currently, Next.js bots are the most active attacking devices tracked by Shadowserver. The number of compromised servers decreased over the weekend as administrators likely secured their systems.