Vulnerabilities in Palo Alto’s firewall operating system PAN-OS became known towards the end of last week. Exploit code was already available for the most serious vulnerability CVE-2025-0108. The Shadowserver Foundation has observed attacks on the PAN-OS vulnerability using this exploit code since Thursday, as reported on X.
Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and vulnerable to a critical security flaw (CVE-2024-52875) that could be exploited for remote code execution (RCE) with minimal effort. The Shadowserver Foundation has been tracking this vulnerability and issuing daily reports since February 5, 2025.
A global heatmap published by Shadowserver highlights the widespread nature of the issue, showing unpatched devices across multiple countries. The Shadowserver Foundation is actively sharing data with network owners to help facilitate immediate remediation efforts.
In recent weeks, ShadowServer has observed a significant rise in brute-force attacks targeting web login pages of edge devices, with honeypot data revealing up to 2.8 million IPs involved daily.
The Shadowserver Foundation’s Honeypot HTTP Scanner Events Report notes that attackers are leveraging known vulnerabilities (CVE identifiers) and exploiting weak credentials to gain unauthorized access.
According to the latest findings from VulnCheck, 768 Common Vulnerabilities and Exposures (CVEs) were publicly reported as exploited in the wild for the first time this year (2024). Spikes in exploitation reporting frequently coincided with major industry events, including the RSA Conference, or were influenced by disclosures from newly onboarded sources like ShadowServer. ShadowServer’s integration into reporting processes in January also led to increased public awareness of exploitation.
The 2024 report highlighted that the initial evidence of exploitation came from a diverse set of 112 unique sources, underscoring the importance of collaboration within the security community. These sources include: Third-party security vendors, Government Agencies; Non-profits: Groups like ShadowServer significantly contributed to disclosure efforts; Product Vendors; and Independent Platforms.
Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks. The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.
Threat monitoring platform Shadowserver Foundation reported they see 580 vulnerable instances exposed online, most (345) located in the United States.
As of January 22, 2025, nearly 50,000 Fortinet firewall devices remain exposed to a critical zero-day vulnerability despite urgent warnings and available patches. CVE-2024-55591 is an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products.
Data from the Shadowserver Foundation reveals that over 50,000 devices remain unpatched as of January 21, with significant concentrations in Asia (20,687), North America (12,866), and Europe (7,401).
The vulnerability is a critical stack-based buffer overflow with a CVSS score of 9.0 that allows unauthenticated remote code execution. It affects multiple Ivanti products, including Connect Secure versions.
Shadowserver observed that 2,048 instances worldwide are vulnerable. The vulnerability tracked as CVE-2025-0282, has been actively exploited since mid-December 2024.
In February 2024, representatives from States, international organisations, private industry, academia, and civil society came together to consider the challenges posed by the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCICs) and launched the Pall Mall Process. In August 2024, the Pall Mall Process launched a consultation on good practices through which to tackle this shared threat. This report summarises responses to the Pall Mall Process consultation into good practices, including examples, recommendations and concerns raised by participants in written responses and through virtual workshops.
Civil society and academia represented: Shadowserver Foundation
Put simply – we have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in. This hijacking allowed us to track compromised hosts as they ‘reported in’, and theoretically gave us the power to commandeer and control these compromised hosts. Over 4000 unique and live backdoors later…
For the same reasons that both this research and the .MOBI research came to exist, we would be guilty of the exact same careless disposal of infrastructure if we were to let these domains expire as their previous owners did. We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.
The Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) published Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to enable grant-making agencies to incorporate cybersecurity into their grant programs, and to enable grant-recipients to build cyber resilience into their grant-funded infrastructure projects.
The guide includes a comprehensive list of cybersecurity resources available to support grant recipient project execution. Shadowserver is included in the Advisory Support/Technical Assistance Service section in the Protect category.