Media Coverage

A record five million devices, mostly Android TV boxes, are running malware that can no longer call back to hackers after authorities cut off their controllers. However, the devices are still dangerous, and owners should replace them.

Shadowserver Foundation, a UK government-funded internet security platform, tracks around five million IP addresses “sinkholed” every day. Just weeks ago, the number was closer to 2.5 million, representing a two-fold jump since the beginning of March. Sinkholing is a technique where malicious servers are taken over, or connections are redirected to a benign listener, preventing bots from communicating with their operators. Shadowserver tracks the numbers across 400 different malware family variants.

Hackers are already exploiting three critical zero-days affecting VMware ESXi virtualization software. Public scans reveal that as of March 5th, 2025, at least 41,450 servers and systems were exposed, leaving businesses worldwide vulnerable. ShadowServer Foundation, a nonprofit security organization, is tracking vulnerable ESXi instances.

HUMAN’s Satori Threat Intelligence and research team has uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a sprawling and complex cyberattack dubbed BADBOX 2.0. BADBOX 2.0 is a major adaptation and expansion of the Satori team’s 2023 BADBOX disclosure, and is the largest botnet made up of infected connected TV (CTV) devices ever uncovered.

A new botnet malware named ‘Eleven11bot’ has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks. The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers. Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.

A critical vulnerability, CVE-2025-22467, in Ivanti Connect Secure (ICS) devices has left approximately 2,850 instances worldwide unpatched and vulnerable to remote code execution (RCE) attacks. Shadowserver’s daily assessments reveal a significant prevalence of vulnerable devices across various nations. Shadowserver’s findings highlight the need for global coordination in vulnerability disclosure and remediation efforts. Their reports provide actionable intelligence to help organizations identify and secure exposed systems.

In Andorra, the CSIRT-AD has taken a step forward in the protection of companies and offers access to the Shadowserver service , a tool recognized internationally for its effectiveness in the detection and mitigation of threats. Access to Shadowserver provides essential information on detected malicious activities, compromised devices, and vulnerabilities within corporate networks. At a time when digital threats are increasingly frequent and sophisticated, tools like Shadowserver become essential to ensure system protection and operational continuity of companies.

Vulnerabilities in Palo Alto’s firewall operating system PAN-OS became known towards the end of last week. Exploit code was already available for the most serious vulnerability CVE-2025-0108. The Shadowserver Foundation has observed attacks on the PAN-OS vulnerability using this exploit code since Thursday, as reported on X.

Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and vulnerable to a critical security flaw (CVE-2024-52875) that could be exploited for remote code execution (RCE) with minimal effort. The Shadowserver Foundation has been tracking this vulnerability and issuing daily reports since February 5, 2025.

A global heatmap published by Shadowserver highlights the widespread nature of the issue, showing unpatched devices across multiple countries. The Shadowserver Foundation is actively sharing data with network owners to help facilitate immediate remediation efforts.

In recent weeks, ShadowServer has observed a significant rise in brute-force attacks targeting web login pages of edge devices, with honeypot data revealing up to 2.8 million IPs involved daily.

The Shadowserver Foundation’s Honeypot HTTP Scanner Events Report notes that attackers are leveraging known vulnerabilities (CVE identifiers) and exploiting weak credentials to gain unauthorized access.

According to the latest findings from VulnCheck, 768 Common Vulnerabilities and Exposures (CVEs) were publicly reported as exploited in the wild for the first time this year (2024). Spikes in exploitation reporting frequently coincided with major industry events, including the RSA Conference, or were influenced by disclosures from newly onboarded sources like ShadowServer. ShadowServer’s integration into reporting processes in January also led to increased public awareness of exploitation.

The 2024 report highlighted that the initial evidence of exploitation came from a diverse set of 112 unique sources, underscoring the importance of collaboration within the security community. These sources include: Third-party security vendors, Government Agencies; Non-profits: Groups like ShadowServer significantly contributed to disclosure efforts; Product Vendors; and Independent Platforms.