Olivia
Online
Defused
@DefusedCyber
Managed Honeypots for Early-warning Threat Intelligence π―
Access free honeypot intel:
Joined August 2023
1 Following
7K Followers
718 Posts
Β Pinned Tweet
π¨ New Fortinet vulnerability being exploited as an 0-day
CVE-2026-35616 - FortiClient EMS pre-authentication API access bypass - CVSS 9.1 Critical
After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure.
Fortinet has released an emergency hotfix - plus a scheduled patch - for FortiClient EMS 7.4.5 and 7.4.6.
The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests.
This discovery was made through our upcoming Radar feature launching next week π
Advisory: https://t.co/Jr2fUbq8JV
Track exploitation of this and other Fortinet vulns in real time and get updates on the new Defused Radar π https://t.co/iRDhHlDkep
Credit also to @heckintosh_ for independently discovering this vulnerability πͺ
π―π―π―π―
@SimoKohonen πππ
π¨ Based on @rapid7 observations of exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257), we can also confirm first signs of exploitation around the same time (May 18th on the Defused TF feeds, and a customer hit on May 17th)
The exploit payload differs slightly from Rapid 7's POC with the user-agent PAN GlobalProtect/6.0.0
Attacker IP: 104.207.144[.]154 πΊπΈ AS20473 The Constant Company
Rapid7 write-up: https://t.co/n9QiTULwHA
![DefusedCyber's tweet photo. π¨ Based on @rapid7 observations of exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257), we can also confirm first signs of exploitation around the same time (May 18th on the Defused TF feeds, and a customer hit on May 17th)
The exploit payload differs slightly from Rapid 7's POC with the user-agent PAN GlobalProtect/6.0.0
Attacker IP: 104.207.144[.]154 πΊπΈ AS20473 The Constant Company
Rapid7 write-up: https://t.co/n9QiTULwHA](https://pbs.twimg.com/media/HJj8iswWEAIp4Hi.jpg)
@SimoKohonen π―π―π―
πππ
Past few weeks I have been posting less @DefusedCyber updates, but only because it's reached enough users that have needed to rework some scaling aspects.
That said, new stuff coming soon again π
β οΈ We are observing actors sending test exploits against the recent Drupal vulnerability CVE-2026-9082 since this morning
Probes hit /jsonapi/node/* with a malformed filter[β¦][value][β¦] key, triggering the SQL injection bug to check whether the site is vulnerable.
No data-extraction payloads yet, so this is likely recon ahead of the real wave.
Monitor live attacks against Drupal πhttps://t.co/rEG9aqrq5l
![DefusedCyber's tweet photo. β οΈ We are observing actors sending test exploits against the recent Drupal vulnerability CVE-2026-9082 since this morning
Probes hit /jsonapi/node/* with a malformed filter[β¦][value][β¦] key, triggering the SQL injection bug to check whether the site is vulnerable.
No data-extraction payloads yet, so this is likely recon ahead of the real wave.
Monitor live attacks against Drupal πhttps://t.co/rEG9aqrq5l](https://pbs.twimg.com/media/HI8ENWMXkAAcrKx.jpg)
@DarshanSays speed is everything now
π¨ The Cisco SD-WAN vManage CVE-2026-20224 released yesterday - currently stated to have no known ITW exploitation by Cisco PSIRT - is now seeing exploit activity on the Defused honeypots
Attackers are using 6 XXE variants for reading local filesystem paths. Payloads align with advisory but exploit success not verified
Track exploitation of this and other Cisco honeypots π https://t.co/rEG9aqrq5l
β οΈWe are observing a major credential bruteforce attack targeting Palo Alto
The credentials rotate across a small set of weak passwords, suggesting recon / enumeration rather than actual access attempts
Main ASNs:
- AS394474 WhiteLabelColo
- AS3257 GTT Communications
- AS52393 CorporaciΓ³n Dana S.A.
- AS263740 Corporacion Laceibanetsociety
Monitor attacks against Palo Alto and other edge devices π https://t.co/rEG9aqrq5l
No big exploit activity on the recent Palo Alto vuln (CVE-2026-0300), but a decent amount of scanning activity like this "exposure survey"
Feels like a lot of these are looking in the wrong direction though, both in terms of ports and paths..
π¨ We've added tracking for CVE-2026-0300 (PAN-OS Authentication Portal) into our Palo Alto honeypot fleets
No action required from users subscribed to the Palo Alto intel feeds - tracking has been added in automatically.
Monitor exploit activity πhttps://t.co/FMlpPAiZfm
π¨ cPanel CVE-2026-41940 post-exploit activities we have observed in the past 24 hours:
/json-api/listaccts - lists the accounts on the server
/json-api/system - chained with a command parameter to execute commands on the target
/json-api/version - returns cPanel and WHM version (attackers likely checking if exploit works)
/json-api/authorizesshkey - used by attackers to add their SSH keys onto the target
/json-api/passwd - used to modify an account's password
Track live cPanel exploit activity against our honeypots π―https://t.co/iRDhHlDkep
@stop_spammerz βοΈβοΈβοΈ
@DefusedCyber check for more endpoints https://t.co/sUHxhTEfNw
@UK_Daniel_Card @DefusedCyber Interesting that 205.237.106[.]117 is using @HackingLZ 's favorite AI pentest tool, PentAGI.
That same actor also targeted @sysdig Langflow honeypots in March:
https://t.co/CMGVmurM7W
![adversarialy's tweet photo. @UK_Daniel_Card @DefusedCyber Interesting that 205.237.106[.]117 is using @HackingLZ 's favorite AI pentest tool, PentAGI.
That same actor also targeted @sysdig Langflow honeypots in March:
https://t.co/CMGVmurM7W https://t.co/72T2Ziabl7](https://pbs.twimg.com/media/HHPAZATXUAAOx7m.jpg)
@UK_Daniel_Card π―π―π―π―
Baddies attacking CPANEL at: 86.155.41.250
@nbrsr Just a million or so instances on the web.. π₯΅
Last Seen Users on Sotwe
Umut
Seen from Turkey
Prime Video 
Seen from Sweden
pijat pasutri
Seen from Indonesia
Ensest Cuckold Sex
Seen from Netherlands
sex yuvasΔ±
Seen from Turkey
Creamy Pussy Videos
Seen from Switzerland
ΩΩΨ§Ω Ψ§ΩΩ
Ψ΄Ψ§ΩΩΨ± 2
Seen from Algeria
ΓΓP ΓATAN SAYFA π
Seen from Netherlands
2026 TΓΌrk Δ°fΕa
Seen from Turkey
Soghok Tung's Teng's
Seen from Malaysia
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers