🚨 New Fortinet vulnerability being exploited as an 0-day CVE-2026-35616 - FortiClient EMS pre-authentication API access bypass - CVSS 9.1 Critical After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure. Fortinet has released an emergency hotfix - plus a scheduled patch - for FortiClient EMS 7.4.5 and 7.4.6. The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests. This discovery was made through our upcoming Radar feature launching next week 😇 Advisory: fortiguard.com/psirt/FG-IR-2… Track exploitation of this and other Fortinet vulns in real time and get updates on the new Defused Radar 👉 console.defusedcyber.com/sig… Credit also to @heckintosh_ for independently discovering this vulnerability 💪

confirmed

🚨 CVE-2026-50751 (Check Point Remote Access VPN IKEv1 auth bypass) is now under active exploitation We're seeing in-the-wild attempts hitting our decoys, attempting to forge VPN sessions with no valid credentials Track Check Point exploitation live console.defusedcyber.com/sig…

honeypots working as intended 😉 @DefusedCyber

Before we go let's take a quick peek at some of the data we have from @DefusedCyber this is the target detections (e.g. platforms and counts over the sample period) - I need to add more feeds :) so don't take this as 'this is all' cPanel Palo Alto GlobalProtect Cisco Catalyst SD-WAN (vManage) Fortinet FortiClient EMS Citrix NetScaler Ubiquiti UniFi OS Server Drupal CMS (PostgreSQL) Fortinet FortiSandbox Ivanti EPMM FortiWeb FortiGate Cisco ASA Windows WSUS Adobe Experience Manager Atlassian Jira Jenkins Server Oracle E-Business React Server SonicWall SMA VMware vCenter

🚨 CVE-2026-10520 (Pre-auth OS Command Injection in Ivanti Sentry) is now under active exploitation Attackers have been exploiting Ivanti systems with the recently released vulnerability since this morning Track Ivanti exploitation live 👉 console.defusedcyber.com/sig…

🚨The UniFi OS Server RCE chain (CVE-2026-34908/34909/34910) is now being actively exploited Bishop Fox researchers discovered it is possible to chain three vulnerabilities together to achieve unauthenticated remote code execution as root - this is now already being used to deploy commodity malware See the live exploit intel 👉 console.defusedcyber.com/sig…

"We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5."

🍯 We have recently added multiple new honeypot streams for vendors like Checkpoint, Cisco and Drupal! Track the latest exploit activity against vulnerabilities like CVE-2026-50751 👉 console.defusedcyber.com/sig…

The past 6 months have been a crazy time for @DefusedCyber . That said, I've been running the platform with a "beta" mindset - very quickly implementing somewhat half-baked ideas, which have yielded good results but also left the platform slightly disjointed in places. However, the vision where to take the platform is quite clear now, and the remainder of June will both accelerate that vision and also mark the closing of the beta stage, hopefully removing all of the ridiculous UI and UX snafus still lingering in the platform. Got some really wild expanses coming, plus a completely renewed free offering. Stay tuned and LFG!

🍯🍯🍯🍯

🚨 Based on @rapid7 observations of exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257), we can also confirm first signs of exploitation around the same time (May 18th on the Defused TF feeds, and a customer hit on May 17th) The exploit payload differs slightly from Rapid 7's POC with the user-agent PAN GlobalProtect/6.0.0 Attacker IP: 104.207.144[.]154 🇺🇸 AS20473 The Constant Company Rapid7 write-up: rapid7.com/blog/post/etr-rap…

👇👇👇

⚠️ We are observing actors sending test exploits against the recent Drupal vulnerability CVE-2026-9082 since this morning Probes hit /jsonapi/node/* with a malformed filter[…][value][…] key, triggering the SQL injection bug to check whether the site is vulnerable. No data-extraction payloads yet, so this is likely recon ahead of the real wave. Monitor live attacks against Drupal 👉console.defusedcyber.com/int…

🚨 The Cisco SD-WAN vManage CVE-2026-20224 released yesterday - currently stated to have no known ITW exploitation by Cisco PSIRT - is now seeing exploit activity on the Defused honeypots Attackers are using 6 XXE variants for reading local filesystem paths. Payloads align with advisory but exploit success not verified Track exploitation of this and other Cisco honeypots 👉 console.defusedcyber.com/int…

⚠️We are observing a major credential bruteforce attack targeting Palo Alto The credentials rotate across a small set of weak passwords, suggesting recon / enumeration rather than actual access attempts Main ASNs: - AS394474 WhiteLabelColo - AS3257 GTT Communications - AS52393 Corporación Dana S.A. - AS263740 Corporacion Laceibanetsociety Monitor attacks against Palo Alto and other edge devices 👉 console.defusedcyber.com/int…

No big exploit activity on the recent Palo Alto vuln (CVE-2026-0300), but a decent amount of scanning activity like this "exposure survey" Feels like a lot of these are looking in the wrong direction though, both in terms of ports and paths..

🚨 We've added tracking for CVE-2026-0300 (PAN-OS Authentication Portal) into our Palo Alto honeypot fleets No action required from users subscribed to the Palo Alto intel feeds - tracking has been added in automatically. Monitor exploit activity 👉console.defusedcyber.com/int…

check for more endpoints github.com/debugactiveproces…

🚨 cPanel CVE-2026-41940 post-exploit activities we have observed in the past 24 hours: /json-api/listaccts - lists the accounts on the server /json-api/system - chained with a command parameter to execute commands on the target /json-api/version - returns cPanel and WHM version (attackers likely checking if exploit works) /json-api/authorizesshkey - used by attackers to add their SSH keys onto the target /json-api/passwd - used to modify an account's password Track live cPanel exploit activity against our honeypots 🍯console.defusedcyber.com/sig…

Interesting that 205.237.106[.]117 is using @HackingLZ 's favorite AI pentest tool, PentAGI. That same actor also targeted @sysdig Langflow honeypots in March: sysdig.com/blog/cve-2026-330…