Media Coverage

Hackers have launched an unprecedented scanning operation, employing tens of thousands of IP addresses to hunt for vulnerable Ivanti Endpoint Manager Mobile (EPMM) instances. Dozens of organizations have already been compromised. Shadowserver reports over 1,200 exposed Ivanti EPMM instances worldwide without vulnerability assessment – it’s unclear how many remain vulnerable. Most instances are likely not directly exposed to the internet, as network administrators typically deploy them behind corporate firewalls.

“The massive attempt, via a botnet or residential proxy network, maybe, is quite unprecedented,” Piotr Kijewski, CEO at The Shadowserver Foundation, told Cybernews.

Over 170 SolarWinds Web Help Desk installations remain vulnerable to a critical remote code execution (RCE) flaw that has been actively exploited in the wild and recently added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2025-40551, carries a CVSS score of 9.8. The Shadowserver Foundation has been tracking and reporting vulnerable SolarWinds Help Desk installations through its Vulnerable HTTP reports, identifying approximately 170 exposed instances based on version checks.

Ivanti issued advisories Thursday for the code injection flaws, which impact the on-premises version of Ivanti EPMM. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, allow an attacker to achieve remote code execution if successfully exploited. The flaws have a severity score of 9.8.

On Saturday, researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281. As of Tuesday, exposure has dropped to 1,400, but threat activities were still ongoing, “which include attempts to execute callbacks or set up reverse shells,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive.

Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. Cybersecurity company watchTowr reported the security flaw to developer SmarterTools on January 8, which released a fix on January 15 without assigning an identifier. The vulnerability was later assigned CVE-2026-23760 and rated critical severity.

On Monday, Shadowserver revealed that it’s tracking over 6,000 SmarterMail servers (more than 4,200 across North America and nearly 1,000 in Asia) flagged as “likely vulnerable” to ongoing CVE-2026-23760 attacks. CISA added CVE-2026-23760 to its list of actively exploited vulnerabilities.

A proof-of-concept exploit for CVE-2026-24061, a critical remote code execution vulnerability in the GNU Inetutils telnetd, has surfaced, with security researchers warning that over 800,000 vulnerable instances remain publicly accessible on the internet.

The Shadowserver Foundation’s Accessible Telnet Report reveals the scale of the problem. Approximately 800,000 telnet instances remain exposed on port 23/TCP across the internet, presenting an attractive target surface for mass-exploitation campaigns. Shadowserver’s dashboard provides real-time statistics on accessible telnet instances by country, sector, and ASN.

In 2025, VulnCheck identified 884 Known Exploited Vulnerabilities (KEVs) for which evidence of exploitation was observed for the first time. Our analysis shows that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, an increase from the 23.6% observed in our 2024 trends in exploitation report, highlighting the continued prevalence of both zero-day and n-day exploitation. 2025, exploitation evidence was first reported by over 100 unique organizations, including security researchers, cybersecurity vendors, and software suppliers. These trends demonstrate that exploitation speed remains consistently high year over year, and that defenders must prioritize visibility into exploited vulnerabilities with timely remediation in order to keep pace with attackers.

Transparency in exploitation disclosure is critical, as it enables consumers to better understand who first reported exploitation and to assess the level of trust they place in each source. Shadowserver remained the leading source for first-to-report exploitation evidence.

Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago. The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters.

Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots. VulnCheck told BleepingComputer that the technique captured by Shadowserver does not appear to have been publicly documented.

Over 10,000 Fortinet firewalls worldwide remain vulnerable to CVE-2020-12812, a multi-factor authentication (MFA) bypass flaw disclosed over five and a half years ago. Shadowserver recently added the issue to its daily Vulnerable HTTP Report, highlighting persistent exposure amid active exploitation confirmed by Fortinet in late 2025.​ Shadowserver’s scans confirm the flaw’s persistence, scanning for vulnerable HTTP services on exposed ports. Shadowserver’s dashboard reveals over 10,000 vulnerable instances as of early January 2026. The United States dominates with 1.3K exposed firewalls, followed by Thailand (909), Taiwan (728), Japan (462), and China (462).

The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks.

A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell.

A critical vulnerability in MongoDB Server is putting tens of thousands of databases worldwide at risk. Dubbed MongoBleed and tracked as CVE-2025-14847, this high-severity flaw allows unauthenticated attackers to remotely extract sensitive data from server memory without credentials.

The Shadow Server Foundation disclosed updated findings showing 74,854 potentially unpatched MongoDB versions among 78,725 exposed instances detected today. In a post on X, The Shadowserver Foundation warned that the combination of publicly available exploits, more than 70,000 exposed instances, and confirmed active exploitation makes urgent action essential.