Operation successfully coordinated by
@europol.europa.eu via EC3 Cyber Intelligence Extension Programme (CIEP). Civil legal action by
@microsoft.com DCU
Millions of phishing emails, 96K victims globally
Key domains seized/sinkholed/suspended, thousands of criminal users potentially impacted
Great to support our international LE and private sector partners in Tycoon 2FA phishing-as-a-service #cybercrime disruption:
shadowserver.org/news/tycoon-...
New nCSIRT-only Tycoon 2FA Domains Special Report run 2026-03-04 (historical C2/panel/infra domains)
www.shadowserver.org/what-we-do/n...
Another Iran Internet blackout, this time due to the war, visualized on our Public Dashboard - drop to near zero on 2026-03-01:
dashboard.shadowserver.org/statistics/c...
If you receive an alert from us, please patch.
World Map view of all n8n vulnerable instances we track: dashboard.shadowserver.org/statistics/c...
#CyberCivilDefense
IP data on vulnerable instances is tagged 'n8n' & with a cve tag (like cve-2026-27495) in our Vulnerable HTTP reporting www.shadowserver.org/what-we-do/n...
Latest n8n critical RCE vulns (all covered with above tag):
github.com/n8n-io/n8n/s...
github.com/n8n-io/n8n/s...
github.com/n8n-io/n8n/s...
We are continuing to expand our n8n RCE vulnerability scanning - most recently adding CVE-2026-27495 (CVSS 9.4) tagging as well. You can track our various n8n scan results here for the most well known critical vulns: dashboard.shadowserver.org/statistics/c...
Top affected: US, Germany & France.
If you receive an alert from us, please update!
NVD entry: nvd.nist.gov/vuln/detail/...
Background: www.zerodayinitiative.com/advisories/Z...
#CyberCivilDefense
We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based).
Patch: support.icewarp.com/hc/en-us/com...
IP data: www.shadowserver.org/what-we-do/n...
World Map view: dashboard.shadowserver.org/statistics/c...
#CyberCivilDefense
blog.talosintelligence.com/uat-8616-sd-...
www.cyber.gov.au/sites/defaul...
sec.cloudapps.cisco.com/security/cen...
We are also sharing SSH port 830 data in our Accessible SSH reporting - this includes potential NETCONF instances www.shadowserver.org/what-we-do/n...
Around 90K SSH instances seen exposed, but this includes generic SSH population (NETCONF uses SSH).
Background: www.ncsc.gov.uk/news/exploit...
Cisco SD-WAN incidents: we are sharing data on identified Cisco SD-WAN IPs Device ID reporting - www.shadowserver.org/what-we-do/n...
~5.5K Cisco SD-WAN IPs (control plane) (dashboard.shadowserver.org/statistics/i...) & over 270 management interfaces (dashboard.shadowserver.org/statistics/i...)
IP data in our Compromised Website report, tagged 'freepbx-compromised' - www.shadowserver.org/what-we-do/n...
Compromised FreePBX tracker: dashboard.shadowserver.org/statistics/c...
Compromises are likely via CVE-2025-64328
Additional background from Fortinet: www.fortinet.com/blog/threat-...
Thanks to collaboration with the Canadian Centre for Cyber Security we can share more comprehensive information on FreePBX instances running webshells, with still over 900 IPs seen compromised.
Dashboard Victim overview (Tree map) dashboard.shadowserver.org/statistics/c...
Tracker: dashboard.shadowserver.org/statistics/h...
Tree Map view: dashboard.shadowserver.org/statistics/h...
Massive increase in sources attempting Ivanti EPMM CVE-2026-1281 exploitation, with over 28.3K source IPs seen on 2026-02-09. IP data on attackers shared in our www.shadowserver.org/what-we-do/n... (with vulnerability_id set to CVE-2026-1281). 20.4K IPs seen from US networks.
#CyberCivilDefense
Over 57.5K IPs seen tagged with 'eol' in our exposed web service reporting alone! IP data shared for example in
www.shadowserver.org/what-we-do/n...
Dashboard World Map view: dashboard.shadowserver.org/statistics/c...
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/c...
Running End-of-Life devices or apps is a major security risk. @CISACyber has recently released a Directive on the topic: www.cisa.gov/news-events/...
It's worth mentioning we share many End-of-Life devices/apps in our daily reporting, tagged 'eol'.
See: dashboard.shadowserver.org/statistics/c...
If you receive an alert from us, please review the security advisory and guidance from Ivanti at hub.ivanti.com/s/article/Se... including the ExploitationΒ Detection RPM Package co-developed by Ivanti & NCSC.nl
We have started to report webshells (or other artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06
Data in shadowserver.org/what-we-do/n...
Tree Map view: dashboard.shadowserver.org/statistics/c...
Thank you to the KSA NCA for the heads up!
These reports help people defend the country against cyber attacks and also helps people fight scammer networks
#CyberCivilDefense #take9
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) - ~ 170 seen. This vuln is now on CISAKEV. Data in Vulnerable HTTP reports: www.shadowserver.org/what-we-do/n...
Dashboard Tree Map: dashboard.shadowserver.org/statistics/c...
See advisory and patch info from SolarWinds: www.solarwinds.com/trust-center...
If you receive an alert from us, make sure to review for compromise.
NVD entry: nvd.nist.gov/vuln/detail/...
Thank you to Validin for collaboration on the scan.
Dashboard Tree Map view: dashboard.shadowserver.org/statistics/i...
OpenClaw Dashboard exposure tracker (for past data, select vendor Moltbot on the Dashabord):
dashboard.shadowserver.org/statistics/i...
Most instances are across various cloud providers.
Our reporting is for awareness purposes.
OpenClaw has had various security risks highlighted recently (such as for example www.wiz.io/blog/exposed... & CVE-2026-25253 (1-Click RCE via Authentication Token Exfiltration)
We are scanning & reporting out exposed OpenClaw/Clawdbot/Moltbot instances, with ~25K seen 2026-02-02. We report these out in our Device Identification reporting, with vendor set to OpenClaw for all cases: www.shadowserver.org/what-we-do/n...
World Map: dashboard.shadowserver.org/statistics/i...
CVE-2026-1281 has been added to CISA Known Exploited Vulnerability catalog: www.cisa.gov/news-events/...
Additional background from watchTowr: labs.watchtowr.com/someone-know...
IP data on exposed instances shared in Device ID (device_vendor Ivanti, device_model EPMM ): www.shadowserver.org/what-we-do/n...
Dashboard World Map of exposed instances: dashboard.shadowserver.org/statistics/i...
Tree Map breakdown of exposed instances: dashboard.shadowserver.org/statistics/i...
