2026-06-19 13:05 UTC

FortiBleed Fortinet compromised devices!

We shared a one-off "FortiBleed" dataset of compromised Fortinet devices in our Compromised Website Report https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/ thanks to collaboration with SOCRadar! IP data tagged 'fortibleed' with timestamp set to 2026-06-18

Links

• World map breakdown of "FortiBleed" compromised Fortinet devices
• Tree map breakdown of "FortiBleed" compromised Fortinet devices

References

• https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/
• https://x.com/Shadowserver/status/2067951401553240361

2026-05-01 14:21 UTC

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing - at least 44K instances compromised

cPanel/WHM CVE-2026-41940 attacks are ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. 44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.

Links

• cPanel instances likely compromised via CVE-2026-41940 and seen scanning/launching exploits/brute force attacks against our sensors on 2026-04-30
• Tracker showing the numbers of attacking cPanel instances

References

• https://x.com/Shadowserver/status/2050208472386396568
• https://bsky.app/profile/shadowserver.bsky.social/post/3mksb7b5qfc2u
• https://infosec.exchange/@shadowserver/116499627192882664
• https://www.linkedin.com/feed/update/urn:li:activity:7455976703832580096
• https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

2026-04-06 11:47 UTC

FortiClient EMS CVE-2026-35616 (0day) & CVE-2026-21643 exploitation

Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We see around 2000 publicly exposed IPs (note: this is a not a vulnerability assessment).

Links

• Exposed FortiClient EMS population (not a vulnerability assessment) over time
• Exposed FortiClient EMS population (not a vulnerability assessment) World Map

References

• https://x.com/Shadowserver/status/2040845567882928304
• https://infosec.exchange/@shadowserver/116353321530367043
• https://bsky.app/profile/did:plc:3xyh2kw5hfxsax4zff3pp5ub/post/3mirc36cjbk2p
• https://www.linkedin.com/feed/update/urn:li:activity:7446613388010500097

2026-04-01 13:41 UTC

Now scanning/reporting F5 BIG-IP APM instances (Over 17.1K seen)

F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE & added to US CISA KEV. We are now fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.

Links

• Tree Map view of exposed F5 BIG-IP APM IPs
• World Map view of exposed F5 BIG-IP APM IPs

References

• https://x.com/Shadowserver/status/2039330895270715500
• https://bsky.app/profile/shadowserver.bsky.social/post/3migrp4lkjs2u
• https://infosec.exchange/@shadowserver/116329649566841580
• https://www.linkedin.com/feed/update/urn:li:activity:7445099309764726785
• https://my.f5.com/manage/s/article/K000156741
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521