Unpatched servers under assault
Researchers are flagging a surge in exploits of unpatched servers and weak creds — the guidance: urgent patching and active internet-surface monitoring (think Shodan) to spot exposed services before attackers do . Posts today stress that delays equal compromise risk — patch cadence plus continuous inventory are non‑negotiable.
SmarterTools confirmed (securityweek.com) that the Warlock/Storm‑2603 ransomware gang gained initial access on January 29, 2026 via an unpatched SmarterMail instance inside the company's environment. (secpod.com) The Shadowserver Foundation reported (bleepingcomputer.com) that more than 6,000 internet‑accessible SmarterMail servers were running versions likely vulnerable to CVE‑2026‑23760. Shadowserver's scans also showed over 29,000 exposed Microsoft Exchange servers remained unpatched against CVE‑2025‑53786 in early August 2025. (bleepingcomputer.com) A botnet campaign tracked as RondoDox has been observed exploiting CVE‑2025‑24893 in XWiki to enlist forgotten installs into miners and DDoS nodes during a November 2025 surge. (cyberwarzone.com) Security reporting found exploit code and PoCs spread fast after initial disclosure — analysts noted that “within days” opportunistic actors adopted the XWiki exploit, driving follow‑on scanners and payload drops. (thehackernews.com) Public internet‑surface scanners and dashboards are the primary sources for these counts: Shodan’s CVEDB and related product dashboards track vulnerable services while Shadowserver publishes daily vulnerable‑HTTP scan results. (cvedb.shodan.io) U.S. agencies responded with emergency measures: CISA issued ED 25‑02 on August 7, 2025 mandating mitigation for the Exchange hybrid flaw by August 11, 2025, and Microsoft published MDVM guidance for CVE‑2025‑53786 for hybrid deployments. (cisa.gov)
