chief honeypot @defusedcyber
Joined February 2016
- Tweets 5,224
- Following 318
- Followers 3,155
- Likes 10,453
1,168 Photos and videos
Pinned Tweet
Apr 4
Easter holidays and a Fortinet 0-day - a match made in heaven π°
(also my first credited CVE π)
Apr 4
π¨ New Fortinet vulnerability being exploited as an 0-day
CVE-2026-35616 - FortiClient EMS pre-authentication API access bypass - CVSS 9.1 Critical
After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure.
Fortinet has released an emergency hotfix - plus a scheduled patch - for FortiClient EMS 7.4.5 and 7.4.6.
The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests.
This discovery was made through our upcoming Radar feature launching next week π
Advisory: fortiguard.com/psirt/FG-IR-2β¦
Track exploitation of this and other Fortinet vulns in real time and get updates on the new Defused Radar π console.defusedcyber.com/sigβ¦
Credit also to @heckintosh_ for independently discovering this vulnerability πͺ
5
15
112
36,571
Jun 12
some late friday night checkpoint fun going on π―
Jun 12
π¨ CVE-2026-50751 (Check Point Remote Access VPN IKEv1 auth bypass) is now under active exploitation
We're seeing in-the-wild attempts hitting our decoys, attempting to forge VPN sessions with no valid credentials
Track Check Point exploitation live console.defusedcyber.com/sigβ¦
1
23
3,170
Jun 12
honeypots working as intended π @DefusedCyber
Jun 12
Happy Friday!
We're back with our analysis of Check Point's friendly CVE-2026-50751, an Authentication Bypass in their.. security-boundary-enforced-by-authentication SSL VPN products...
Enjoy!
labs.watchtowr.com/marking-yβ¦
2
12
103
18,605
Simo retweeted
Jun 11
Before we go let's take a quick peek at some of the data we have from @DefusedCyber
this is the target detections (e.g. platforms and counts over the sample period) - I need to add more feeds :) so don't take this as 'this is all'
cPanel
Palo Alto GlobalProtect
Cisco Catalyst SD-WAN (vManage)
Fortinet FortiClient EMS
Citrix NetScaler
Ubiquiti UniFi OS Server
Drupal CMS (PostgreSQL)
Fortinet FortiSandbox
Ivanti EPMM
FortiWeb
FortiGate
Cisco ASA
Windows WSUS
Adobe Experience Manager
Atlassian Jira
Jenkins Server
Oracle E-Business
React Server
SonicWall SMA
VMware vCenter
2
2
11
1,271
Simo retweeted
Jun 10
One example of how the botnet feeds exploitation pipelines: we saw a surge of scanning against Fortinet devices within hours of the disclosure of Fortinet CVE-2026-35616, which was discovered by @SimoKohonen and @DefusedCyber.
1
2
6
500
Jun 10
π
Jun 10
π¨ CVE-2026-10520 (Pre-auth OS Command Injection in Ivanti Sentry) is now under active exploitation
Attackers have been exploiting Ivanti systems with the recently released vulnerability since this morning
Track Ivanti exploitation live π console.defusedcyber.com/sigβ¦
2
12
1,389
Jun 10
That did not take long.. both the advisory & poc dropped yesterday π
Jun 10
π¨ CVE-2026-10520 (Pre-auth OS Command Injection in Ivanti Sentry) is now under active exploitation
Attackers have been exploiting Ivanti systems with the recently released vulnerability since this morning
Track Ivanti exploitation live π console.defusedcyber.com/sigβ¦
2
29
6,452
Jun 9
πππ
Jun 9
π¨The UniFi OS Server RCE chain (CVE-2026-34908/34909/34910) is now being actively exploited
Bishop Fox researchers discovered it is possible to chain three vulnerabilities together to achieve unauthenticated remote code execution as root - this is now already being used to deploy commodity malware
See the live exploit intel π console.defusedcyber.com/sigβ¦
19
3,966
Jun 8
"We believe that this threat actor infrastructure is exploiting other VPN related vulnerabilities such as the ones published by Palo Alto, Fortinet and F5."
Check Point links VPN zero-day attacks to Qilin ransomware gang
bleepingcomputer.com/news/seβ¦
bleepingcomputer.com/news/seβ¦
1
17
93
16,926
Jun 8
hunny hunny π―π―π―
Jun 8
π― We have recently added multiple new honeypot streams for vendors like Checkpoint, Cisco and Drupal!
Track the latest exploit activity against vulnerabilities like CVE-2026-50751 π console.defusedcyber.com/sigβ¦
1
15
1,400
Jun 6
The past 6 months have been a crazy time for @DefusedCyber . That said, I've been running the platform with a "beta" mindset - very quickly implementing somewhat half-baked ideas, which have yielded good results but also left the platform slightly disjointed in places.
However, the vision where to take the platform is quite clear now, and the remainder of June will both accelerate that vision and also mark the closing of the beta stage, hopefully removing all of the ridiculous UI and UX snafus still lingering in the platform.
Got some really wild expanses coming, plus a completely renewed free offering. Stay tuned and LFG!
5
6
51
5,583
Jun 1
π―π―π―π―
May 26
Past few weeks I have been posting less @DefusedCyber updates, but only because it's reached enough users that have needed to rework some scaling aspects.
That said, new stuff coming soon again π
1
4
19
7,083
May 30
Shame we didn't pick up on this sooner despite the data being in the platform, but showcases exactly why I'm launching @DefusedCyber Builder - you can pick up different things & sometimes get earlier signals from running honeypots on your own infra π―
May 30
π¨ Based on @rapid7 observations of exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257), we can also confirm first signs of exploitation around the same time (May 18th on the Defused TF feeds, and a customer hit on May 17th)
The exploit payload differs slightly from Rapid 7's POC with the user-agent PAN GlobalProtect/6.0.0
Attacker IP: 104.207.144[.]154 πΊπΈ AS20473 The Constant Company
Rapid7 write-up: rapid7.com/blog/post/etr-rapβ¦
2
6
29
5,104
May 26
Past few weeks I have been posting less @DefusedCyber updates, but only because it's reached enough users that have needed to rework some scaling aspects.
That said, new stuff coming soon again π
3
2
21
9,056
May 22
ποΈποΈ
May 22
β οΈ We are observing actors sending test exploits against the recent Drupal vulnerability CVE-2026-9082 since this morning
Probes hit /jsonapi/node/* with a malformed filter[β¦][value][β¦] key, triggering the SQL injection bug to check whether the site is vulnerable.
No data-extraction payloads yet, so this is likely recon ahead of the real wave.
Monitor live attacks against Drupal πconsole.defusedcyber.com/intβ¦
1
15
4,184
May 19
PAN Cortex Xpanse has been non-stop scanning CVE-2026-0265 associated paths since May 7th..
May 19
Palo Alto is the new Fortinet
1
4
20
4,517
May 19
Palo Alto is the new Fortinet
May 19
CVE-2026-0265, the PAN-OS auth bypass (when Cloud Auth Services are enabled) was fun to reproduce and load into the watchTowr Platform.
Our friends @ @HacktronAI are publishing their analysis this week, so we wonβt be publishing. Looking forward to it π
1
5
90
23,007
May 17
Seems it was a performance piece of sorts..
4
531
Simo retweeted
May 15
well well so it appears the nginx vuln has 0 hits in the wild
enclave.ai/blog/nginx-rift-iβ¦
3
15
88
12,039