Media Coverage

Attackers have begun backdooring internet-exposed Ivanti Sentry appliances, the nonprofit security watchdog Shadowserver confirmed on June 11, 2026 — less than 48 hours after patches and a public proof-of-concept exploit script became available. The Ivanti Sentry vulnerability tracked as CVE-2026-10520 carries the maximum CVSS score of 10.0 and gives any unauthenticated, internet-connected attacker the ability to execute arbitrary operating system commands as root on the appliance — no credentials, no prior foothold required.

Shadowserver reported seeing 19 vulnerable instances in its scans, with at least two already backdoored following a tip from Saudi Arabia’s National Cybersecurity Authority. The organization cautioned that the true number of affected appliances is likely higher, as many Sentry deployments block internet scanning tools by default.

Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks. In light of CISA’s advisory, Internet security watchdog Shadowserver warned today that over 1,000 ATG systems were exposed online, with the vast majority (909 devices) in the United States.

Non-profit cybersecurity organisations are a foundational part of the global cyber ecosystem, yet their role remains systematically under-recognised and underfunded. This new HCSS report argues that these organisations provide essential public-interest security functions that governments and commercial providers cannot fully deliver on their own.

The report by Hans Horan, Ron Stoop and Jan Feldhusen finds that non-profit cybersecurity actors play a critical role in threat intelligence sharing, incident response coordination, standards development, capacity-building, and support for vulnerable communities. Their work helps reduce harm, strengthen cyber resilience, and sustain the shared infrastructure and protocols underpinning the global digital economy. The report warns that continued underfunding risks weakening critical cyber resilience functions worldwide. It recommends that governments establish dedicated multi-year funding streams, formally integrate non-profit actors into national cybersecurity strategies, and create rapid-response funding mechanisms for major cyber crises. It also calls on industry to adopt standing norms for financially supporting the sector.

Threat intelligence services can also generate substantial value. The most notable example would be Shadowserver, a non-profit that scans the global internet for vulnerabilities, malware, and active threats, and alerts affected organisations and governments. Single organisations such as ShadowServer and CIS account for market-equivalent values of USD 830M–980M and USD 354M, respectively. Shadowserver delivers this at an operating cost of USD 5.5 to 6 million per year: a leverage ratio of approximately 170 to 200 USD of economic value per dollar spent.

On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm’s command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.

This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them.

A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified. Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region. In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized. Operation Ramz marked a milestone as the first cyber operation of its scale coordinated by INTERPOL in the MENA region. During this effort, nearly 8,000 pieces of crucial data and intelligence were disseminated among participating countries to initiate and support investigations.

During Operation Ramz, INTERPOL worked closely with its partners, Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru and TrendAI to track illegal cyber activities and identify malicious servers. Operation Ramz received support from the Qatar Ministry of Interior and was partially funded by the European Union and the Council of Europe under the CyberSouth+ project. Participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE.

Ivanti has patched CVE-2026-6973, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments. The vulnerability has been exploited in the wild – CISA has also added it to the Known Exploited Vulnerabilities (KEV) catalog. The potential scope is significant: as of May 7, 2026, Shadowserver tracks over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal. Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

A critical zero-day vulnerability in cPanel and WebHost Manager (WHM) is under massive active exploitation following the public release of a sophisticated proof-of-concept exploit. Tracked as CVE-2026-41940, this flaw has already compromised tens of thousands of servers worldwide. The Shadowserver Foundation, a prominent non-profit security organization, reported intense exploitation activity targeting exposed cPanel instances globally. Their security honeypots detected at least 44,000 unique IP addresses that appear to be successfully compromised.

Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses. On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793).

More than 1,370 Microsoft SharePoint servers remain publicly exposed to an actively exploited spoofing vulnerability, putting countless corporate networks at severe risk. Identified by threat intelligence researchers at The Shadowserver Foundation, these unpatched systems are vulnerable to sophisticated attacks that allow unauthorized individuals to bypass security protocols and compromise network integrity. The Shadowserver Foundation recently deployed version-based scans across the public internet to identify vulnerable SharePoint endpoints. Shadowserver continues to share this IP data daily through its Vulnerable HTTP reporting dashboards.