Many REDCap servers accessible on the internet are running outdated software versions, making them susceptible to cyber threats, as reported by the internet intelligence firm Censys. REDCap, a platform for managing clinical research data, is predominantly used by academic, healthcare, and non-profit organizations and is developed by Vanderbilt University.
Cyber Threats Targeting REDCap Servers
A report from Google’s Threat Intelligence Group (GTIG) highlights that outdated REDCap servers are being targeted by a China-linked threat actor known as UNC6508. These servers are being exploited for cyberespionage, particularly in campaigns against prominent medical, academic, and military research organizations in the United States.
Since September 2023, UNC6508 has been compromising REDCap servers open to the web, deploying malware to harvest login credentials. In one notable incident, attackers used the InfiniteRed backdoor months after the initial breach. The group remained undetected for a year, eventually using the stolen credentials to infiltrate the internal network and extract data.
Prevalence of Outdated Software Versions
Censys reports approximately 8,500 REDCap instances exposed to the internet globally. However, a mere 1% are running the most current software version. The majority, about 30%, operate on version 16.0.17, followed by 16.1.4 at 4.93% and 16.0.15 at 3.34%. The latest REDCap version, 17.1.3, is only implemented in 1.18% of instances as of June 2026, indicating a significant lag in updates.
The widespread use of older versions is attributed to REDCap’s design, which permits administrators to maintain legacy software alongside newer iterations. This practice has made these systems attractive targets for cybercriminals probing for vulnerabilities.
Geographical Distribution and Security Recommendations
Internet-exposed REDCap servers are distributed across 100 countries, with approximately 40% located in the United States. Other significant concentrations include the United Kingdom (7.4%), Germany (4.8%), and Australia (3.9%).
Due to the interest of state-sponsored actors in these servers, organizations are advised to inventory their REDCap instances, ensure they are updated with the latest patches, and adhere to recommended security practices. These include separating web and database servers and securing databases behind firewalls.
In conclusion, the persistence of outdated REDCap servers presents a substantial cybersecurity risk, necessitating proactive measures to safeguard sensitive research data from sophisticated cyber threats.
