Defused

9

26

3.6K

Defused@DefusedCyber·3d

⚠️ We are observing an active exploitation campaign targeting Citrix NetScaler instances We have observed 500+ exploit attempts of both CitrixBleeds (CVE-2025-5777 and CVE-2023-4966) against our NetScaler decoys across multiple regions: 193.24.211.86 AS215929 🇧🇬 Data Campus Limited 173.164.73.25 AS7922 🇺🇸 Comcast Cable Communications 91.92.243.126 AS202412 🇳🇱 Omegatech LTD 194.31.223.238 AS215439 🇩🇪 PLAY2GO INTERNATIONAL LIMITED Highly elevated exploit activity against older vulnerabilities can often precede a zero-day vulnerability Monitor exploitation of edge devices like Citrix NetScaler in real time 👉 console.defusedcyber.com/signup

English

25

66

10.9K

Defused retweetledi

Simo@SimoKohonen·4d

Shipped a number of improvements for finding the crucial intel from the @DefusedCyber TI - Filtering by attacker noise index (remove mass & scanners very easily) - Keyword, IP, attack type exclusions Check 'em 👉console.defusedcyber.com/intel

English

4

18

2K

Defused retweetledi

Mike Philbin@mikejphilbin·10 Mar

Security risks will grow as we move to clawbot and open law. The focus on ai security is growing

🚨 Note to people using systems like OpenClaw - bots are continuously crawling the internet for any leaking pathways, configurations and credentials. If it's on the internet, they will eventually find and abuse it 🤖 Ensure you have removed attack surface before deploying!

English

1

581

Defused@DefusedCyber·10 Mar

@AdolfoUsier 💪💪

QME

76

Adolfo 🦀🔺 | Open Crabs Father | truelens.tech®️@AdolfoUsier·10 Mar

@DefusedCyber yeah the crawling is brutal. I run mine on a cheap VPS with proper isolation - way less attack surface

English

0

1

134

Defused@DefusedCyber·10 Mar

🚨 Note to people using systems like OpenClaw - bots are continuously crawling the internet for any leaking pathways, configurations and credentials. If it's on the internet, they will eventually find and abuse it 🤖 Ensure you have removed attack surface before deploying!

English

5

19

2.6K

Defused retweetledi

Simo@SimoKohonen·5 Mar

More webshells with much more sophistication: - AES-encrypted C2 comms with hardcoded key - Dynamic in-memory Java classloading where no payload ever touches disk. - Session-persistent across requests - Response framing using a key-derived MD5 marker

Simo@SimoKohonen

Webshells be flowing into Cisco SD-WAN honeypots now.. Exploitation of CVE-2026-20127 is looking pretty heavy, new actors popping up by the hour

English

20

70

9K

Defused@DefusedCyber·5 Mar

@CydexSecurity 🛡️

QME

160

CYDEX Security@CydexSecurity·5 Mar

#Cybersecurity

🚨 Cisco SD-WAN CVE-2026-20127 is under active exploitation by multiple attackers Exploit activity is decently heavy with attackers trying to implement multiple persistence mechanisms Attacker in screenshot implements a gsocket/gs-netcat based backdoor connected to a Telegram bot, using kernel thread name spoofing ([kswapd0], [ksmd]) to hide processes. Patch immediately. If on an affected version, assume compromise and hunt. Track exploitation 👉 console.defusedcyber.com/intel

QHT

@techspence @UK_Daniel_Card

0

2

301

Defused retweetledi

Simo@SimoKohonen·5 Mar

Webshells be flowing into Cisco SD-WAN honeypots now.. Exploitation of CVE-2026-20127 is looking pretty heavy, new actors popping up by the hour

English

2

19

65

16K

Defused retweetledi

mRr3b00t@UK_Daniel_Card·4 Mar

we are inside the @DefusedCyber honeypots looking at : Cisco Catalyst SD-WAN (vManage) we are using @ipinfo for enrichment..... CVE-2026-20127 exploitation ..... let's take a peek! #Cyber #Baddies #CyberCrime

English

2

4

16

2.4K

Defused@DefusedCyber·4 Mar

GIF

QME

1

4

790

spencer@techspence·4 Mar

@DefusedCyber @UK_Daniel_Card Sneaky sneaky

Čeština

0

2

305

Defused@DefusedCyber·4 Mar

🚨 Cisco SD-WAN CVE-2026-20127 is under active exploitation by multiple attackers Exploit activity is decently heavy with attackers trying to implement multiple persistence mechanisms Attacker in screenshot implements a gsocket/gs-netcat based backdoor connected to a Telegram bot, using kernel thread name spoofing ([kswapd0], [ksmd]) to hide processes. Patch immediately. If on an affected version, assume compromise and hunt. Track exploitation 👉 console.defusedcyber.com/intel

English

4

22

57

18.1K

Defused@DefusedCyber·4 Mar

First exploit already on February 26th: x.com/SimoKohonen/st…

Simo@SimoKohonen

With the POC now at hand, we can observe first exploitation for this happened already on the 26th of February ❗️

English

5

972

Defused retweetledi

Eli Woodward@ElijahWoodward9·4 Mar

GIF

⚠️We are noting potentially novel exploit variants against Fortinet honeypots 🍯 Attacker source AS12975 (PALTEL Autonomous System) 🇵🇸 Various fabric endpoints are being exploited similar to CVE-2025-25257 (supplying malicious SQL code through authorization headers) 👉 console.defusedcyber.com/intel

ZXX

1

3

459

Defused@DefusedCyber·4 Mar

⚠️We are noting potentially novel exploit variants against Fortinet honeypots 🍯 Attacker source AS12975 (PALTEL Autonomous System) 🇵🇸 Various fabric endpoints are being exploited similar to CVE-2025-25257 (supplying malicious SQL code through authorization headers) 👉 console.defusedcyber.com/intel

English

10

25

5K

Defused@DefusedCyber·2 Mar

@vuln_tracker 🙌

QME

108

VulnTracker@vuln_tracker·2 Mar

CVSS 10.0 authentication bypass and threat actors are already fingerprinting exposed instances. China, Sweden, Russia — global interest. No PoC public yet but Nuclei templates are already being weaponized for enumeration. The window between scanning and exploitation is shrinking. Full CVE details: vulntracker.io/cves/CVE-2026-…

English

0

156

Defused@DefusedCyber·2 Mar

⚠️Cisco SD-WAN (CVE-2026-20127) enumeration slowly on the increase We have observed fingeprinting attempts against vulnerable Cisco SD-WAN instances - involving either utilizing Nuclei templates for older CVE's (such as CVE-2020–26073) or probing various SD-WAN REST API authentication endpoints. No observed POC candidates as of yet Some IPs involved from the past 24 hours: 111.194.48.235 China Unicom Beijing Province 🇨🇳 158.174.210.97 Bahnhof AB 🇸🇪 95.215.0.144 Petersburg Internet Network ltd. 🇷🇺

English

13

33

5.3K

Defused retweetledi

Eli Woodward@ElijahWoodward9·2 Mar

Cisco SD-WAN scanning is picking up. This kind of reconnaissance is usually a precursor to active exploitation. Interestingly there's no public POC available yet, but the advisory reported this has been exploitation for 3 years already. I imagine it's just a matter of time before this is public.

⚠️Cisco SD-WAN (CVE-2026-20127) enumeration slowly on the increase We have observed fingeprinting attempts against vulnerable Cisco SD-WAN instances - involving either utilizing Nuclei templates for older CVE's (such as CVE-2020–26073) or probing various SD-WAN REST API authentication endpoints. No observed POC candidates as of yet Some IPs involved from the past 24 hours: 111.194.48.235 China Unicom Beijing Province 🇨🇳 158.174.210.97 Bahnhof AB 🇸🇪 95.215.0.144 Petersburg Internet Network ltd. 🇷🇺

English

4

14

1.9K

Defused@DefusedCyber·2 Mar

@UK_Daniel_Card @Support 🥵🥵

QME