Media Coverage

Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical zero-day vulnerability in Ivanti’s Enterprise Mobility Management (EPMM) platform. The Shadowserver Foundation has deployed specialized honeypot sensors to track and analyze exploitation attempts targeting these vulnerabilities in real-time. Shadowserver Foundation continues to provide updated statistics and monitoring data to help security teams and researchers track this evolving threat landscape and better protect vulnerable systems from exploitation. The collected data is made publicly available through Shadowserver’s Dashboard, which displays time-series information about exploitation attempts, including source IP addresses, attack frequency, and targeting patterns.

Nonprofits and NGOs serve as the backbone of social progress, often working on the frontlines of critical global challenges. Yet as they champion human rights, health, education, and humanitarian aid, they are increasingly vulnerable to cyber threats that can jeopardize their missions. Fortunately, a growing network of nonprofit cybersecurity organizations is stepping up to protect those who protect us—with free, affordable, and tailored solutions that respond directly to these challenges.

Together, Shadowserver and CyberPeace Institute are demonstrating how affordable, proactive, and tailored cybersecurity support can be both scalable and deeply impactful—especially when rooted in local partnerships and a shared mission to protect civil society.

SAP patched a security vulnerability in SAP Netweaver on Friday. It later emerged that this leak is already being attacked in the wild. The vulnerability allows attackers from the network to inject and execute arbitrary code without prior login. IT researchers at the Shadowserver Foundation have discovered hundreds of vulnerable systems that are still accessible.

In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.

Top contributors to disclosing exploitation evidence publicly included: Shadowserver (31), GreyNoise (17), CISA KEV (12), Microsoft (12), Sentinel One (10), Cyble (9), Patchstack (6) and Secure List (5).

Hackers retain access to over 14,000 Fortinet VPNs, public scans by Shadowserver Foundation have revealed. And they could’ve been lurking for years, leaving sensitive data at risk. Fortinet explains that threat actors are using a post-exploitation technique to create malicious files from previously known Fortinet vulnerabilities, including CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475. Fortinet also said it performed scans to identify compromised devices using internal telemetry and in collaboration with third-party organizations. The company also communicated directly with identified customers.

Shadowserver Foundation scans discovered around 14,300 infected Fortinet devices publicly exposed to the internet. Most of them, around 1,500, are in the US, followed by Japan (600), Taiwan (600), China (500), France (500). Over three hundred compromised FortiOS devices were also discovered in Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia.

“It is critically important for all organizations to keep their devices up to date. A variety of government organizations have reported that state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities,” Fortinet warns.

Over 5,113 Ivanti Connect Secure VPN appliances remain unpatched and vulnerable to the active exploitation of CVE-2025-22457, a critical stack-based buffer overflow vulnerability that enables remote code execution (RCE). The Shadowserver Foundation’s recent scans revealed widespread exposure, with devices spanning multiple countries, including the United States, Japan, China, and Australia. They highlight numerous organizations that remain vulnerable despite available patches and active exploitation.

A recently disclosed security vulnerability in CrushFTP, identified as CVE-2025-2825, has become the target of active exploitation attempts following the release of publicly available proof-of-concept (PoC) exploit code. Shadowserver Foundation, a reputable cybersecurity monitoring organization, disclosed the alarming surge in attacks based on the PoC via their official announcement on X. Shadowserver’s dashboard tracking shows a spike in exploitation attempts globally, reflecting the widespread interest among attackers in leveraging the vulnerability. Shadowserver’s analysis serves as a wake-up call for organizations using CrushFTP to patch their systems promptly and strengthen their defensive measures.

A record five million devices, mostly Android TV boxes, are running malware that can no longer call back to hackers after authorities cut off their controllers. However, the devices are still dangerous, and owners should replace them.

Shadowserver Foundation, a UK government-funded internet security platform, tracks around five million IP addresses “sinkholed” every day. Just weeks ago, the number was closer to 2.5 million, representing a two-fold jump since the beginning of March. Sinkholing is a technique where malicious servers are taken over, or connections are redirected to a benign listener, preventing bots from communicating with their operators. Shadowserver tracks the numbers across 400 different malware family variants.

Hackers are already exploiting three critical zero-days affecting VMware ESXi virtualization software. Public scans reveal that as of March 5th, 2025, at least 41,450 servers and systems were exposed, leaving businesses worldwide vulnerable. ShadowServer Foundation, a nonprofit security organization, is tracking vulnerable ESXi instances.

HUMAN’s Satori Threat Intelligence and research team has uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a sprawling and complex cyberattack dubbed BADBOX 2.0. BADBOX 2.0 is a major adaptation and expansion of the Satori team’s 2023 BADBOX disclosure, and is the largest botnet made up of infected connected TV (CTV) devices ever uncovered.