Media Coverage

Hackers retain access to over 14,000 Fortinet VPNs, public scans by Shadowserver Foundation have revealed. And they could’ve been lurking for years, leaving sensitive data at risk. Fortinet explains that threat actors are using a post-exploitation technique to create malicious files from previously known Fortinet vulnerabilities, including CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475. Fortinet also said it performed scans to identify compromised devices using internal telemetry and in collaboration with third-party organizations. The company also communicated directly with identified customers.

Shadowserver Foundation scans discovered around 14,300 infected Fortinet devices publicly exposed to the internet. Most of them, around 1,500, are in the US, followed by Japan (600), Taiwan (600), China (500), France (500). Over three hundred compromised FortiOS devices were also discovered in Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia.

“It is critically important for all organizations to keep their devices up to date. A variety of government organizations have reported that state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities,” Fortinet warns.

Over 5,113 Ivanti Connect Secure VPN appliances remain unpatched and vulnerable to the active exploitation of CVE-2025-22457, a critical stack-based buffer overflow vulnerability that enables remote code execution (RCE). The Shadowserver Foundation’s recent scans revealed widespread exposure, with devices spanning multiple countries, including the United States, Japan, China, and Australia. They highlight numerous organizations that remain vulnerable despite available patches and active exploitation.

A recently disclosed security vulnerability in CrushFTP, identified as CVE-2025-2825, has become the target of active exploitation attempts following the release of publicly available proof-of-concept (PoC) exploit code. Shadowserver Foundation, a reputable cybersecurity monitoring organization, disclosed the alarming surge in attacks based on the PoC via their official announcement on X. Shadowserver’s dashboard tracking shows a spike in exploitation attempts globally, reflecting the widespread interest among attackers in leveraging the vulnerability. Shadowserver’s analysis serves as a wake-up call for organizations using CrushFTP to patch their systems promptly and strengthen their defensive measures.

A record five million devices, mostly Android TV boxes, are running malware that can no longer call back to hackers after authorities cut off their controllers. However, the devices are still dangerous, and owners should replace them.

Shadowserver Foundation, a UK government-funded internet security platform, tracks around five million IP addresses “sinkholed” every day. Just weeks ago, the number was closer to 2.5 million, representing a two-fold jump since the beginning of March. Sinkholing is a technique where malicious servers are taken over, or connections are redirected to a benign listener, preventing bots from communicating with their operators. Shadowserver tracks the numbers across 400 different malware family variants.

Hackers are already exploiting three critical zero-days affecting VMware ESXi virtualization software. Public scans reveal that as of March 5th, 2025, at least 41,450 servers and systems were exposed, leaving businesses worldwide vulnerable. ShadowServer Foundation, a nonprofit security organization, is tracking vulnerable ESXi instances.

HUMAN’s Satori Threat Intelligence and research team has uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a sprawling and complex cyberattack dubbed BADBOX 2.0. BADBOX 2.0 is a major adaptation and expansion of the Satori team’s 2023 BADBOX disclosure, and is the largest botnet made up of infected connected TV (CTV) devices ever uncovered.

A new botnet malware named ‘Eleven11bot’ has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks. The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers. Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.

A critical vulnerability, CVE-2025-22467, in Ivanti Connect Secure (ICS) devices has left approximately 2,850 instances worldwide unpatched and vulnerable to remote code execution (RCE) attacks. Shadowserver’s daily assessments reveal a significant prevalence of vulnerable devices across various nations. Shadowserver’s findings highlight the need for global coordination in vulnerability disclosure and remediation efforts. Their reports provide actionable intelligence to help organizations identify and secure exposed systems.

In Andorra, the CSIRT-AD has taken a step forward in the protection of companies and offers access to the Shadowserver service , a tool recognized internationally for its effectiveness in the detection and mitigation of threats. Access to Shadowserver provides essential information on detected malicious activities, compromised devices, and vulnerabilities within corporate networks. At a time when digital threats are increasingly frequent and sophisticated, tools like Shadowserver become essential to ensure system protection and operational continuity of companies.

Vulnerabilities in Palo Alto’s firewall operating system PAN-OS became known towards the end of last week. Exploit code was already available for the most serious vulnerability CVE-2025-0108. The Shadowserver Foundation has observed attacks on the PAN-OS vulnerability using this exploit code since Thursday, as reported on X.