Media Coverage

A critical security vulnerability in WatchGuard Firebox devices has left approximately 125,000 internet-exposed systems susceptible to unauthenticated remote code execution attacks. The Shadowserver Foundation identified 124,847 vulnerable IP addresses during scanning operations conducted on December 20, 2025. Shadowserver’s scanning infrastructure detected vulnerable devices across multiple geographic regions, with concentrations in North America, Europe, and Asia-Pacific. Security teams can access detailed vulnerability statistics through Shadowserver’s interactive dashboard, which provides real-time tracking of exposed devices.

The Shadowserver Foundation has identified over 25,000 internet-facing Fortinet devices globally with FortiCloud Single Sign-On (SSO) functionality enabled, raising concerns about potential exposure to critical authentication bypass vulnerabilities. The non-profit security organization recently added fingerprinting capabilities for these systems to its Device Identification reporting service, alerting network administrators to verify their security posture immediately.

Shadowserver’s latest scan results reveal at least 25,000 IP addresses worldwide hosting Fortinet devices configured with FortiCloud SSO enabled. Organizations receiving exposure notifications from Shadowserver are urged to verify their patch status and implement security updates without delay.

Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million.

Operation Sentinel was made possible through close coordination with INTERPOL’s private sector partners Team Cymru, The Shadowserver Foundation, Trend Micro, TRM Labs and Uppsala Security. Partnerships with private sectors provided critical technical support in tracing IP addresses utilized at various stages of the ransomware attack lifecycle and sextortion schemes, as well as assisting in freezing illicit financial assets.

Operation Sentinel was held under the umbrella of the African Joint Operation against Cybercrime (AFJOC), funded by the United Kingdom’s Foreign, Commonwealth and Development Office, and through the Global Action on Cybercrime Enhanced project (GLACY-e), a joint project of the European Union and the Council of Europe.

On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.” Shadowserver has a page where it’s tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, named officially as CVE-2025-20393.

Security researchers warn that hundreds of already compromised Next.js devices are hitting honeypots, while tens of thousands of servers remain vulnerable to the critical React vulnerability (CVE-2025-55182). According to the ShadowServer Foundation, a nonprofit security organization, attacks from bot-compromised Next.js assets spiked last Friday, increasing from the usual 100 IP baseline to nearly 1,000.

Currently, Next.js bots are the most active attacking devices tracked by Shadowserver. The number of compromised servers decreased over the weekend as administrators likely secured their systems.

A sophisticated cyberattack targeting Oracle E-Business Suite (EBS) customers has exposed critical vulnerabilities in enterprise resource planning systems, compromising an estimated 100 organizations worldwide between July and October 2025. The campaign, attributed to the notorious Clop ransomware group and linked to the financially motivated threat actor FIN11, exploited a zero-day vulnerability, CVE-2025-61882, to achieve unauthenticated remote code execution on internet-facing EBS portals.

Shadowserver researchers released data on October 8, 2025, showing 576 potentially vulnerable IP addresses based on internet scanning for the zero-day vulnerability. This figure represents only internet-exposed Oracle EBS instances and does not account for organizations that may have been compromised but maintained the systems behind firewalls or other network security controls.​

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.

Specialists of the State Service for Special Communications participated in the OSCE regional training for Ukraine and Moldova, dedicated to increasing the effectiveness of the implementation of confidence-building measures in the field of cybersecurity and information and communication technologies (ICT) security. During the event, representatives of the State Service for Special Communications shared with international partners best practices in the field of critical infrastructure protection at the national level. They informed participants about key methods and results of responding to cyberattacks carried out against Ukraine in the context of full-scale armed aggression.

In addition to representatives from Ukraine and Moldova, experts from Romania, Belgium, Germany, and a representative of The Shadowserver Foundation were invited as speakers.

The Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to patch a critical-severity Windows Server Update Services (WSUS) vulnerability after adding it to its catalog of security flaws exploited in attacks.

The Shadowserver Foundation has uncovered more than 71,000 internet-exposed WatchGuard devices running vulnerable versions of Fireware OS. The Shadowserver Foundation, a nonprofit dedicated to scanning for internet vulnerabilities, began sharing daily IP data on affected WatchGuard devices this week. Shadowserver’s data, available through their Vulnerable ISAKMP reporting portal, includes anonymized IP addresses to help network defenders identify and remediate their own exposures.