Media Coverage

Shadowserver in the news

African authorities dismantle massive cybercrime and fraud networks, recover millions

INTERPOL, August 22, 2025

In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC).

The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively. Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.

Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.

Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Attacks on N-able N-central ongoing, more than 1000 systems unpatched

Heise Online, August 19, 2025

Two security vulnerabilities have been discovered in the remote monitoring and management software (RMM) N-central from N-able, which allow attackers to inject commands into the operating system or execute malicious code that has been smuggled in. The Shadowserver Foundation published an evaluation of the Internet scans for X on the weekend. According to this, 1077 IP addresses were vulnerable to the vulnerabilities CVE-2025-8875 and CVE-2025-8876 last Friday. Last week, the US IT security authority CISA included the vulnerabilities in the “Known Exploited Vulnerabilities” catalog.

Surge in Scans From Hacked Cisco, Linksys, and Araknis Routers

GB Hackers, August 19, 2025

Cybersecurity researchers have identified a significant increase in malicious scanning activities originating from compromised consumer and enterprise networking equipment, with particular focus on Cisco, Linksys, and Araknis router models. The Shadowserver Foundation, a prominent threat intelligence organization, has reported observing unusual scanning patterns that suggest widespread compromise of these networking devices.

Over 28,000 Microsoft Exchange Servers Exposed Online to CVE-2025-53786 Vulnerability

GB Hackers, August 9, 2025

The cybersecurity community faces a significant threat as scanning data reveals over 28,000 unpatched Microsoft Exchange servers remain exposed on the public internet, vulnerable to a critical security flaw designated CVE-2025-53786. The vulnerability affects Microsoft Exchange Server hybrid deployments, with scanning data from The Shadowserver Foundation identifying the United States, Germany, and Russia as the top three countries harboring the highest concentrations of exposed vulnerable servers. The Cybersecurity and Infrastructure Security Agency (CISA) has assessed this as a high-severity vulnerability with significant implications for enterprise security.

17K+ SharePoint Servers Exposed to Internet – 840 Servers Vulnerable to 0-Day Attacks

Cyber Security News, July 31, 2025

A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from Shadowserver Foundation.

Several U.S. federal agencies have been confirmed as victims, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education. State and local government agencies have also been impacted across the country.

State of Exploitation - A look Into The 1H-2025 Vulnerability Exploitation & Threat Activity

VulnCheck, July 30, 2025

In the first half of 2025, evidence of exploitation for the 432 KEVs added to VulnCheck was first observed across more than 74 unique sources, highlighting the importance of having broad source coverage to ensure the earliest detection of exploitation. A comparison can be seen from the 1H-2024 state of exploitation report.

Before publishing this article, VulnCheck produced a blog about Auditing ShadowServer for Unassigned CVEs. They said: We performed an extensive audit of ShadowServer’s daily detection snapshots. During this process, we identified vulnerabilities with active detections but no associated CVE ID, a major blind spot for defenders relying on structured vulnerability intelligence. Rather than let these gaps persist, we tracked down the original advisories and/or exploit proof-of-concepts and issued CVEs ourselves. In total, we contributed 30+ new CVEs through this audit process where exploitation evidence existed.

Microsoft server hack hit about 100 organizations, researchers say

Reuters, July 22, 2025

A sweeping cyber espionage operation targeting Microsoft server software compromised about 100 organizations as of the weekend, two of the organizations that helped uncover the campaign said on Monday. Microsoft on Saturday issued an alert about “active attacks” on self-hosted SharePoint servers, which are widely used by organizations to share documents and collaborate within organizations. Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm, which discovered the hacking campaign targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether – and that was before the technique behind the hack was widely known.

New CrushFTP Critical Vulnerability Exploited in the Wild

Infosecurity Magazine, July 21, 2025

At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to cybersecurity experts. The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23. It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.  On July 21, the Shadowserver Foundation reported observing 1040 unpatched CrushFTP instances, with the top affected countries being the US, Germany and Canada.

FortiWeb Systems Compromised via Webshells After Public PoC Release

GB Hackers, July 17, 2025

A widespread cyberattack campaign has successfully compromised dozens of Fortinet FortiWeb instances through webshell deployment, exploiting a critical vulnerability for which proof-of-concept code became publicly available just days ago. The attacks center around CVE-2025-25257.  The Shadowserver Foundation, a prominent threat monitoring organization, has been tracking the exploitation campaign since it began on July 11. Their latest data reveals concerning statistics about the scope of compromised systems.

Global operation targets NoName057(16) pro-Russian cybercrime network

Europol, July 16, 2025

Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16). Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network. The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch also assisted in the technical part of the operation.