Media Coverage

Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions.On Monday, security analysts from the internet security nonprofit Shadowserver Foundation have discovered over the weekend that 2,100 appliances were still vulnerable to CVE-2025-5777 attacks. Shadowserver also found over 2,100 NetScaler appliances unpatched against another critical vulnerability (CVE-2025-6543), now actively exploited in denial-of-service (DoS) attacks.

The Internet Society (ISOC) and Global Cyber Alliance (GCA), on behalf of the Common Good Cyber secretariat, today announce the launch of the Common Good Cyber Fund, an initiative to strengthen global cybersecurity by supporting nonprofits that deliver core cybersecurity services that protect civil society actors at high risk and the Internet as a whole. The Common Good Cyber secretariat members working to address this challenge are: Global Cyber Alliance, Cyber Threat Alliance, CyberPeace Institute, Forum of Incident Response and Security Teams, Global Forum on Cyber Expertise, Institute for Security and Technology, and Shadowserver Foundation.

In a Joint Statement Between the Prime Minister of the United Kingdom and the Prime Minister of Canada on June 15, 2025, the Prime Ministers announced that they would both invest in the Joint Canada-UK Common Good Cyber Fund.

A critical security vulnerability affecting Roundcube webmail installations has exposed over 84,000 systems worldwide to remote code execution attacks. The Shadowserver Foundation has been actively monitoring and reporting instances of Roundcube installations affected by CVE-2025-49113 over the past several days. The Shadowserver Foundation’s dashboard visualization reveals clustering patterns that suggest both widespread deployment of Roundcube installations and varying levels of security maintenance across different regions.

The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations.

The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation.

Over 44,000 IP addresses were infected with dangerous Latrodectus malware, which is used to deploy banking trojans, before a law enforcement takedown during this month’s Operation Endgame, new data reveals. Operation Endgame is an ongoing, long-term oriented, large-scale operation conducted jointly by law enforcement agencies around the world. Shadowserver Foundation, a nonprofit security organization, has shared a special report on its tracking of the infected machines. ShadowServer shares the report with internet service providers, network owners, and other organizations, which helps to clean up infected devices.

“The data in this IcedID/Latrodectus Historical Bot Infections Special Report was provided to Shadowserver by the Operation Endgame Law Enforcement partners to disseminate to National CERTs/CSIRTs and network owners globally, to maximize remediation efforts,” Shadowserver explains.

A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damage. According to the indictment and complaint, DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks.

As part of today’s operation, Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command and control servers, including dozens of virtual servers hosted in the United States. The U.S. government is now working with partners including the Shadowserver Foundation to notify DanaBot victims and help remediate infections.

Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical zero-day vulnerability in Ivanti’s Enterprise Mobility Management (EPMM) platform. The Shadowserver Foundation has deployed specialized honeypot sensors to track and analyze exploitation attempts targeting these vulnerabilities in real-time. Shadowserver Foundation continues to provide updated statistics and monitoring data to help security teams and researchers track this evolving threat landscape and better protect vulnerable systems from exploitation. The collected data is made publicly available through Shadowserver’s Dashboard, which displays time-series information about exploitation attempts, including source IP addresses, attack frequency, and targeting patterns.

Nonprofits and NGOs serve as the backbone of social progress, often working on the frontlines of critical global challenges. Yet as they champion human rights, health, education, and humanitarian aid, they are increasingly vulnerable to cyber threats that can jeopardize their missions. Fortunately, a growing network of nonprofit cybersecurity organizations is stepping up to protect those who protect us—with free, affordable, and tailored solutions that respond directly to these challenges.

Together, Shadowserver and CyberPeace Institute are demonstrating how affordable, proactive, and tailored cybersecurity support can be both scalable and deeply impactful—especially when rooted in local partnerships and a shared mission to protect civil society.

SAP patched a security vulnerability in SAP Netweaver on Friday. It later emerged that this leak is already being attacked in the wild. The vulnerability allows attackers from the network to inject and execute arbitrary code without prior login. IT researchers at the Shadowserver Foundation have discovered hundreds of vulnerable systems that are still accessible.

In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.

Top contributors to disclosing exploitation evidence publicly included: Shadowserver (31), GreyNoise (17), CISA KEV (12), Microsoft (12), Sentinel One (10), Cyble (9), Patchstack (6) and Secure List (5).