Media Coverage

Ivanti has patched CVE-2026-6973, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments. The vulnerability has been exploited in the wild – CISA has also added it to the Known Exploited Vulnerabilities (KEV) catalog. The potential scope is significant: as of May 7, 2026, Shadowserver tracks over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal. Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

A critical zero-day vulnerability in cPanel and WebHost Manager (WHM) is under massive active exploitation following the public release of a sophisticated proof-of-concept exploit. Tracked as CVE-2026-41940, this flaw has already compromised tens of thousands of servers worldwide. The Shadowserver Foundation, a prominent non-profit security organization, reported intense exploitation activity targeting exposed cPanel instances globally. Their security honeypots detected at least 44,000 unique IP addresses that appear to be successfully compromised.

Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses. On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793).

More than 1,370 Microsoft SharePoint servers remain publicly exposed to an actively exploited spoofing vulnerability, putting countless corporate networks at severe risk. Identified by threat intelligence researchers at The Shadowserver Foundation, these unpatched systems are vulnerable to sophisticated attacks that allow unauthorized individuals to bypass security protocols and compromise network integrity. The Shadowserver Foundation recently deployed version-based scans across the public internet to identify vulnerable SharePoint endpoints. Shadowserver continues to share this IP data daily through its Vulnerable HTTP reporting dashboards.

Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. Apache ActiveMQ is the most popular open-source multi-protocol message broker for asynchronous communication between Java applications. Tracked as CVE-2026-34197, the vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years. As threat monitoring service ShadowServer warned on Monday, more than 6,400 IP addresses with Apache ActiveMQ fingerprints exposed online are also vulnerable to CVE-2026-34197 attacks, with most in Asia (2,925), North America (1,409), and Europe (1,334).

The U.S. Justice Department today announced court-authorized actions taken to disrupt some of the world’s leading Distributed Denial of Service (DDoS) Internet of Things (IoT) botnet services. DDoS services, such as those named in this action, allegedly attacked a wide array of victims in the United States and abroad, including schools, government agencies, gaming platforms, critical infrastructure, including Department of War resources, and millions of people.

This law enforcement action was taken in conjunction with Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructures worldwide, and holding accountable the administrators and users of these illegal services. Principal partners in Operation PowerOFF include EUROPOL; the U.S. Attorney’s Offices for the District of Alaska and Central District of California; DCIS; FBI’s Anchorage Field Office; HSI’s Columbus Field Office; the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and International Computer Hacking and Intellectual Property (ICHIP) attorney advisor, who is based at Eurojust in The Hague; Germany’s Bundeskriminalamt (BKA); Netherlands Police; Polish Central Cybercrime Bureau; Japan’s National Police Agency, France’s Police Nationale, and many others.

Assistance was provided by Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Epieos, Google, Hydrolix, PayPal, Registrar of Last Resort and The ShadowServer Foundation, The University of Cambridge and Unit 221B.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. Internet security watchdog group Shadowserver currently tracks nearly 2,000 FortiClient EMS instances exposed online, with more than 1,400 IPs in the United States and in Europe. However, there are no details on how many have already been patched or have vulnerable configurations.

Over 14,000 F5 BIG-IP APM instances remain exposed online, with attackers actively exploiting the critical remote code execution vulnerability CVE-2025-53521 (CVSS ver. 3.1 score of 9.8), the nonprofit security organization Shadowserver warns. Shadowserver now reports tracking over 14,100 IPs with F5 BIG-IP APM fingerprints exposed online, most of them are in the US (5138), Europe (4750), and Asia (2689).

Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution. Researchers from watchTowr said there were about 30,000 instances visible on the internet, while more targeted analysis from Shadowserver Foundation showed 784 unique IPs were exposed.  The U.S. and Germany are the most widely exposed geographic locations, according to Shadowserver data.