2026-05-01 14:21 UTC

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing - at least 44K instances compromised

cPanel/WHM CVE-2026-41940 attacks are ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. 44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.

Links

• cPanel instances likely compromised via CVE-2026-41940 and seen scanning/launching exploits/brute force attacks against our sensors on 2026-04-30
• Tracker showing the numbers of attacking cPanel instances

References

• https://x.com/Shadowserver/status/2050208472386396568
• https://bsky.app/profile/shadowserver.bsky.social/post/3mksb7b5qfc2u
• https://infosec.exchange/@shadowserver/116499627192882664
• https://www.linkedin.com/feed/update/urn:li:activity:7455976703832580096
• https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

2026-04-06 11:47 UTC

FortiClient EMS CVE-2026-35616 (0day) & CVE-2026-21643 exploitation

Heads up FortiClient EMS users! CVE-2026-35616 (new) & CVE-2026-21643 - both unauthenticated RCE observed to be exploited in the wild! We see around 2000 publicly exposed IPs (note: this is a not a vulnerability assessment).

Links

• Exposed FortiClient EMS population (not a vulnerability assessment) over time
• Exposed FortiClient EMS population (not a vulnerability assessment) World Map

References

• https://x.com/Shadowserver/status/2040845567882928304
• https://infosec.exchange/@shadowserver/116353321530367043
• https://bsky.app/profile/did:plc:3xyh2kw5hfxsax4zff3pp5ub/post/3mirc36cjbk2p
• https://www.linkedin.com/feed/update/urn:li:activity:7446613388010500097

2026-04-01 13:41 UTC

Now scanning/reporting F5 BIG-IP APM instances (Over 17.1K seen)

F5 BIG-IP APM CVE-2025-53521 impact has recently been updated from a DoS to RCE & added to US CISA KEV. We are now fingerprinting & sharing F5 BIG-IP APM instances - over 17.1K IPs seen on 2026-03-31 globally. This is just a population assessment.

Links

• Tree Map view of exposed F5 BIG-IP APM IPs
• World Map view of exposed F5 BIG-IP APM IPs

References

• https://x.com/Shadowserver/status/2039330895270715500
• https://bsky.app/profile/shadowserver.bsky.social/post/3migrp4lkjs2u
• https://infosec.exchange/@shadowserver/116329649566841580
• https://www.linkedin.com/feed/update/urn:li:activity:7445099309764726785
• https://my.f5.com/manage/s/article/K000156741
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521

2026-03-23 11:40 UTC

Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period

Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports. Top countries running outdated IIS instances: China & USA

Links

• EOL IIS Dashboard World Map view
• EOS (beyond ESU) IIS Dashboard World Map view

References

• https://x.com/Shadowserver/status/2036017138750861391
• https://infosec.exchange/@shadowserver/116277884431680440
• https://bsky.app/profile/shadowserver.bsky.social/post/3mhprwqd2xs26
• https://www.linkedin.com/feed/update/urn:li:activity:7441785045998174208
• https://cisa.gov/resources-tools/resources/reducing-attack-surface-end-support-edge-devices