DESCRIPTION LAST UPDATED: 2025-04-29
DEFAULT SEVERITY LEVEL: CRITICAL
This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.
This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!
As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.
The following compromises are being reported:
- SAP NetWeaver instances compromised via CVE-2025-31324 exploitation. This is based on remote webshell detection. For details on the attacks, please read the blog from ReliaQuest and Rapid7. Tagged as
netweaver-compromised. [tagging first added 2025-04-28] - Fortinet devices compromised using previously known but not patched vulnerabilities to deliver a symlink-based persistence mechanism. Tagged as
fortinet-compromised. See Fortinet’s Advisory for for mitigation steps (also CISA Advisory, ACSC Advisory, CERT.NZ Advisory). Statistics available on our public Dashboard. [tagging first added 2025-04-11] - Murdoc botnet compromised devices (AVTECH devices). Tagged as
murdoc-botnet. See https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai. [tagging first added 2025-02-04] - Ivanti Connect Secure devices compromised as a result of multiple (we believe) campaigns. In some cases this may be related to CVE-2025-0282 but likely older or other activity may be involved as well. Compromised devices are detected by scans using a methodology suggested by NCSC.FI. These are tagged
backdoor;ivanti-connect-secure. We initially includedcve-2025-0282as part of the tags but this has been removed as of 2025-01-23. If you receive an alert from us, please make sure to check for compromise in the path shared (and elsewhere). You can also follow CISA’s mitigation advice. You can track results on our Dashboard. [tagging first added 2025-01-21] - Fortinet devices (Fortigate Management Interface CVE-2022-40684 related compromises). This is based on data published by Belsen Group after it was announced on Breach Forums. Events are tagged as
fortinet-exfil;cve-2024-55591as it was initially (mistakenly) assumed this data was from exploitation of CVE-2024-55591 when it should be CVE-2022-40684. One event per file exfiled, including size in bytes and sha256 hash. If vpn credentials were exfiled, usernames will be listed underaccounts. This is a one-off dataset only that has been shared once 2025-01-15. For additional context on the Fortigate attacks, see https://www.fortiguard.com/psirt/FG-IR-22-377, https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 and https://www.truesec.com/hub/blog/fortinet-cve-2022-40684-vulnerability-from-an-incident-response-perspective [tagging first added 2025-01-14] - Palo Alto Networks devices (PAN-OS Management Interface CVE-2024-0012 related compromises). This is based on a query detecting compromise related artefacts. Events tagged as “panos-compromised“. For additional context on PAN-OS attacks, see https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ [tagging first added 2024-10-26].
- Samsung Techwin Network Video Recorder (NVR) Web Viewer devices compromised with a webshell. Check for webshell file named
update.phpin the/root/webviewer/directory. Events tagged as “http;samsung-techwin-nvr-web-viewer;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-09-26] - TellYouThePass ransomware compromised devices from PHP CVE-2024-4577 exploitation campaigns. See: Imperva article on and BleepingComputer article [tagging added 2024-06-19]
- Qlik Sense instances that have been compromised by the Cactus ransomware group (as a result of CVE-2023-48365, CVE-2023-41265, CVE-2023-41266 exploitation campaigns. Please find the details at “Sifting through the spines: identifying (potential) Cactus ransomware victims” blog by Fox-IT. Compromised instances are determined remotely by checking for the presence of files with
.ttfor.wofffile extension. Tagged as “injected-code;qliksense;ssl;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-04-25] - Ivanti Connect Secure VPN devices that have signs of compromise (observed backdoor activity) as a result of CVE-2024-21893 attack campaigns. These checks are based on this Orange Cyberdefense publication. Tagged as “backdoor-activity;ivanti-connect-secure“. See our Dashboard tracker for latest scan results. [tagging added 2024-02-09]
- Ivanti Connect Secure VPN devices with injected credential stealer code installed as part of CVE-2024-21887 and CVE-2023-46805 attack campaigns. Tagged as “ivanti-connect-secure;credential-stealer;injected-code“. See our Dashboard tracker for latest scan results.
- Ivanti Connect Secure VPN devices: GIFTEDVISITOR webshell variant installed as part of CVE-2024-21887 and CVE-2023-46805 exploitation campaign as discovered by Volexity. Data shared in collaboration with Volexity. Tagged “ivanti-connect-secure;webshell“. See our Dashboard tracker for latest scan results. If you received a report on your network/constituency, please check out the suggested recovery steps from Ivanti (and investigate your network for wider possible compromise).
- Device implants installed as part of the Cisco IOS XE compromises described in the Cisco Talos blog Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities. This is tagged “device-implant“
- Citrix webshells installed as part of CVE-2023-3519 exploitation campaigns (please see Technical Summary of Observed Citrix CVE-2023-3519 Incidents and Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Tagged “citrix” and “webshell“.
- Citrix code-injections, also installed as part of CVE-2023-3519 exploitation campaigns and used for credential harvesting (please see the IBM X-Force writeup). Tagged “citrix” and “injected-code“, with “detail” specifying also the detected injected domain used to steal credentials.
- Webservers compromised by StealRat, tagged “hacked-webserver-stealrat-t1” or “redirecting-to-stealrat-t1“.
You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.
You can learn more on the report in our Compromised Website Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report comes in two versions – for IPv4 and IPv6.
Severity levels are described here.
Filename(s): compromised_website, compromised_website6