REDCap servers exposed to the internet are predominantly running outdated versions, which are actively targeted by the China-linked UNC6508 threat actor for cyberespionage campaigns. Starting in September 2023, UNC6508 exploited legacy REDCap servers to deploy malware for credential harvesting and later used these credentials to infiltrate internal networks and exfiltrate data. The threat actor's exact exploitation method is unconfirmed but likely involves probing vulnerable legacy versions, facilitated by REDCap's design allowing legacy and current versions to run side-by-side. As of June 2026, only about 1.18% of approximately 8,500 internet-exposed REDCap instances run the latest version 17.1.3, with many running older 16.x.x versions. The servers are distributed globally, with a significant concentration in the US. The vendor recommends maintaining updated software and securing the database behind a firewall separate from the web server.

Outdated REDCap servers are susceptible to compromise by a state-sponsored threat actor, UNC6508, which has used these servers to gain initial access, deploy backdoors, harvest credentials, and subsequently access internal networks to exfiltrate sensitive data. This poses a significant risk to organizations in the medical, academic, and research sectors that rely on REDCap for clinical data management. The compromise can lead to unauthorized data access and potential espionage activities.

Organizations should inventory all internet-exposed REDCap instances and ensure they are updated to the latest available version (at least version 17.1.3). Follow vendor recommendations to separate the web server and database server, securing the database behind a firewall. Since the vendor advisory does not indicate that the vulnerability is already mitigated or that no action is required, these steps are necessary to reduce exposure. Patch status is not explicitly confirmed in the advisory; therefore, check the vendor's official resources for the latest remediation guidance.