Media Coverage

Cisco has confirmed two serious vulnerabilities impacting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. Tracked as CVE-2025-20333 and CVE-2025-20362, both issues allow attackers to run arbitrary code on unpatched devices. Cisco security advisories warn that exploits for both flaws are already in the wild. Shadowserver’s daily vulnerable HTTP report now includes a live list of ASA/FTD instances susceptible to these 0-day bugs. On September 29, security researchers discovered 48,800+ publicly reachable IPs still running outdated firewall versions. Network teams should subscribe for daily updates and cross-check their public IP ranges against Shadowserver’s list.

Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Security analysts at the nonprofit Shadowserver Foundation are monitoring over 470 GoAnywhere MFT instances. However, it is unclear how many of these have already been patched or have their admin console exposed online.

Hackers are increasingly using a new AI-powered offensive security framework called HexStrike-AI in real attacks to exploit newly disclosed n-day flaws. According to ShadowServer Foundation’s data, nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. This activity is reported by CheckPoint Research, which observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities.

Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Citrix NetScaler flaw to its Known Exploited Vulnerabilities (KEV) catalog. Shadowserver Foundation researchers reported that most of the vulnerable instances are located in the United States (10,100), followed by Germany (4,300), the United Kingdom (1,400), the Netherlands (1,300), and Switzerland (1,300).

In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC).

The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively. Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.

Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.

Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Two security vulnerabilities have been discovered in the remote monitoring and management software (RMM) N-central from N-able, which allow attackers to inject commands into the operating system or execute malicious code that has been smuggled in. The Shadowserver Foundation published an evaluation of the Internet scans for X on the weekend. According to this, 1077 IP addresses were vulnerable to the vulnerabilities CVE-2025-8875 and CVE-2025-8876 last Friday. Last week, the US IT security authority CISA included the vulnerabilities in the “Known Exploited Vulnerabilities” catalog.

Cybersecurity researchers have identified a significant increase in malicious scanning activities originating from compromised consumer and enterprise networking equipment, with particular focus on Cisco, Linksys, and Araknis router models. The Shadowserver Foundation, a prominent threat intelligence organization, has reported observing unusual scanning patterns that suggest widespread compromise of these networking devices.

The cybersecurity community faces a significant threat as scanning data reveals over 28,000 unpatched Microsoft Exchange servers remain exposed on the public internet, vulnerable to a critical security flaw designated CVE-2025-53786. The vulnerability affects Microsoft Exchange Server hybrid deployments, with scanning data from The Shadowserver Foundation identifying the United States, Germany, and Russia as the top three countries harboring the highest concentrations of exposed vulnerable servers. The Cybersecurity and Infrastructure Security Agency (CISA) has assessed this as a high-severity vulnerability with significant implications for enterprise security.

A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from Shadowserver Foundation.

Several U.S. federal agencies have been confirmed as victims, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education. State and local government agencies have also been impacted across the country.

In the first half of 2025, evidence of exploitation for the 432 KEVs added to VulnCheck was first observed across more than 74 unique sources, highlighting the importance of having broad source coverage to ensure the earliest detection of exploitation. A comparison can be seen from the 1H-2024 state of exploitation report.

Before publishing this article, VulnCheck produced a blog about Auditing ShadowServer for Unassigned CVEs. They said: We performed an extensive audit of ShadowServer’s daily detection snapshots. During this process, we identified vulnerabilities with active detections but no associated CVE ID, a major blind spot for defenders relying on structured vulnerability intelligence. Rather than let these gaps persist, we tracked down the original advisories and/or exploit proof-of-concepts and issued CVEs ourselves. In total, we contributed 30+ new CVEs through this audit process where exploitation evidence existed.