Defused

🚨 New Fortinet vulnerability being exploited as an 0-day CVE-2026-35616 - FortiClient EMS pre-authentication API access bypass - CVSS 9.1 Critical After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure. Fortinet has released an emergency hotfix - plus a scheduled patch - for FortiClient EMS 7.4.5 and 7.4.6. The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests. This discovery was made through our upcoming Radar feature launching next week 😇 Advisory: fortiguard.com/psirt/FG-IR-26… Track exploitation of this and other Fortinet vulns in real time and get updates on the new Defused Radar 👉 console.defusedcyber.com/signup Credit also to @heckintosh_ for independently discovering this vulnerability 💪

@SimoKohonen 🍯🍯🍯

Past few weeks I have been posting less @DefusedCyber updates, but only because it's reached enough users that have needed to rework some scaling aspects. That said, new stuff coming soon again 😉

👇👇👇

⚠️ We are observing actors sending test exploits against the recent Drupal vulnerability CVE-2026-9082 since this morning Probes hit /jsonapi/node/* with a malformed filter[…][value][…] key, triggering the SQL injection bug to check whether the site is vulnerable. No data-extraction payloads yet, so this is likely recon ahead of the real wave. Monitor live attacks against Drupal 👉console.defusedcyber.com/intel

@DarshanSays speed is everything now

@DefusedCyber 14h from disclosure to active exploitation. The patch window is basically 0 now. If you're building detection on top of this, SigmaHQ has baseline rules for network device compromise: github.com/SigmaHQ/sigma #ThreatDetection #CVE202620224

🚨 The Cisco SD-WAN vManage CVE-2026-20224 released yesterday - currently stated to have no known ITW exploitation by Cisco PSIRT - is now seeing exploit activity on the Defused honeypots Attackers are using 6 XXE variants for reading local filesystem paths. Payloads align with advisory but exploit success not verified Track exploitation of this and other Cisco honeypots 👉 console.defusedcyber.com/intel

⚠️We are observing a major credential bruteforce attack targeting Palo Alto The credentials rotate across a small set of weak passwords, suggesting recon / enumeration rather than actual access attempts Main ASNs: - AS394474 WhiteLabelColo - AS3257 GTT Communications - AS52393 Corporación Dana S.A. - AS263740 Corporacion Laceibanetsociety Monitor attacks against Palo Alto and other edge devices 👉 console.defusedcyber.com/intel

No big exploit activity on the recent Palo Alto vuln (CVE-2026-0300), but a decent amount of scanning activity like this "exposure survey" Feels like a lot of these are looking in the wrong direction though, both in terms of ports and paths..

🚨 We've added tracking for CVE-2026-0300 (PAN-OS Authentication Portal) into our Palo Alto honeypot fleets No action required from users subscribed to the Palo Alto intel feeds - tracking has been added in automatically. Monitor exploit activity 👉console.defusedcyber.com/intel

@huntnp007 @stop_spammerz 💯

@stop_spammerz @DefusedCyber Classic progression... listaccts/version for recon, system for execution, SSH keys for persistence. Clean kill chain. They're moving smart with this one 👀

🚨 cPanel CVE-2026-41940 post-exploit activities we have observed in the past 24 hours: /json-api/listaccts - lists the accounts on the server /json-api/system - chained with a command parameter to execute commands on the target /json-api/version - returns cPanel and WHM version (attackers likely checking if exploit works) /json-api/authorizesshkey - used by attackers to add their SSH keys onto the target /json-api/passwd - used to modify an account's password Track live cPanel exploit activity against our honeypots 🍯console.defusedcyber.com/signup

@stop_spammerz ☝️☝️☝️

@DefusedCyber check for more endpoints github.com/debugactivepro…

@UK_Daniel_Card @DefusedCyber Interesting that 205.237.106[.]117 is using @HackingLZ 's favorite AI pentest tool, PentAGI. That same actor also targeted @sysdig Langflow honeypots in March: sysdig.com/blog/cve-2026-…

@UK_Daniel_Card 🍯🍯🍯🍯

Baddies attacking CPANEL at: 86.155.41.250

@drkshdw47 🥵

Almost every domain *.gob.* had cPanel outdated…

@nbrsr Just a million or so instances on the web.. 🥵

People still use cPanel?

🚨 cPanel CVE-2026-41940 is undergoing active exploitation as of right now We are observing multiple actors actively attacking our cPanel honeypots, likely utilizing the recently released watchTowr proof-of-concept exploit Track live exploitation of cPanel 👉 console.defusedcyber.com/intel

🚨 A critical authentication vulnerability has been identified in cPanel Patches are available, and the company is urging users to update immediately as the vulnerability is of high severity We have added a cPanel honeypot stream into Defused 🍯 console.defusedcyber.com/signup

@breditor @bad_packets This person needs to get their act together... In addition to forgetting their Fortinet credentials, they've also forgotten their F5 credentials!

@bad_packets @DefusedCyber

Anyone reusing credentials on their Fortinet device? Asking for a friend on AS17511 (219.75.254[.]166) who keeps failing to get their password right.