Known Vulnerabilities Exploited in the Wild

Live observations — 30-day window through 2026-05-30 May 2026

Known Vulnerabilities Exploited in the Wild — What Actually Hit Our Sensors This Month

~50 million events across the three sensors in the last 30 days. The CVE-mapped subset — everything where a Suricata signature, the application-honeypot classifier, or the AI triage pass tagged a specific known vulnerability — tells a different story than the raw volume. The top of the leaderboard is the long-tail commodity stuff (Mirai, IoT-router CGI, CVE-2024-21762 FortiOS); the bottom is the three active hunts we’re running right now (PAN-OS CVE-2026-0300, NGINX Rift CVE-2026-42945, Apache mod_http2 CVE-2026-23918). Here’s what each looked like.

CVE RCE FortiOS PAN-OS NGINX Apache SMB / EternalBlue Mirai / IoT

CVEs we observed by name in 30 days

CVE	Product / class	Detection layer	Hunt status	Hits
CVE-2024-21762	FortiOS SSL-VPN heap overflow	FortiGate honeypot path-class	background	~30
CVE-2022-42475	FortiOS sslvpnd static-path traversal	FortiGate honeypot path-class	background	~10
CVE-2014-3692	Linksys/Cisco router `tmUnblock.cgi` backdoor	ET 2018132 / 2026102 / 2068292	rondo actor cluster	~30
CVE-2026-0300	PAN-OS captive-portal BoF	SID 9026300–9026314 + HP classifier	active hunt	16
CVE-2026-42945	NGINX rewrite-module heap overflow	SID 9026420–9026424 + HP classifier	active hunt	2 (cross-hit)
CVE-2026-23918	Apache 2.4.66 `mod_http2` double-free DoS	SID 9026500–9026503 + HP classifier	active hunt	22 (Day 1 FPs, fixed in rev:2)
EternalBlue (MS17-010)	SMB v1 remote code execution	SMB protocol classifier (184 K SMB events fleet)	background	~1 200
Log4Shell (CVE-2021-44228)	Java `jndi:ldap://` JNDI injection	HTTP request classifier + ET 2034647	background	~150
Redis SLAVEOF takeover (2015)	Unauth Redis replication abuse	Redis honeypot command-class	background	~50
Mirai & cousins	Telnet/ADB default-credential botnet family	Telnet/ADB honeypot credential class	background	~510 K Telnet + 11.5 K ADB

Hit counts above are the number of distinct firings where the classifier or Suricata rule fired with high confidence — not raw protocol volume. So Mirai is the loudest entry on the page because the credential-class itself is dominant regardless of CVE.

The three active hunts (right column above)

CVE-2026-0300 PAN-OS captive-portal buffer overflow — 50-day campaign window, T+17 today

Palo Alto disclosed this on 2026-05-06 (after state actors had been exploiting it since 2026-04-09). We’ve been running captive-portal honeypots on 4443/6080-6082 across all three sensors since the disclosure. The 16 SID firings in the last 30 days break down as: the T+15 dual-actor incident on 2026-05-27 where two operators delivered the same 2 271-byte rondo-class body six minutes apart, and the T+16/T+17 rondo return where the same actor came back from a new IP (124.198.131.22) but switched to IoT-router CGI paths on port 8080 instead of PAN-OS captive portal.

Full timeline at /honeypot-data/cve-2026-0300-hunt.

CVE-2026-42945 NGINX Rift — heap overflow in the rewrite module — Day 6, silence holds

Disclosed 2026-05-24. Heap overflow in ngx_escape_uri(NGX_ESCAPE_ARGS) when expanding +/%2B runs in a captured /api/(.*) rewrite group. Our coverage: a stdlib-only NGINX-Rift honeypot on TLS/8443 with unique per-sensor certs, four Suricata signatures (9026420-9026423) targeting the structural shape, and 4 KB eBPF capture on the same port. Zero true-positive firings in 6 days. The only 9026421 firing was the T+15 PAN-OS cross-hit (32×0x41 + NUL byte in the rondo body coincidentally satisfied both rule sets — classic cross-vendor structural collision).

Full timeline at /honeypot-data/cve-2026-42945-hunt.

CVE-2026-23918 Apache mod_http2 double-free DoS — Day 2, rev:2 vindicated

Disclosed 2026-05-28. CWE-415 double-free in Apache 2.4.66 mod_http2 stream cleanup, triggered by rapid HEADERS+RST_STREAM frame churn over HTTP/2. We changed the HP-HTTP honeypot’s Server: header to Apache/2.4.66 (Ubuntu) mod_http2/2.0.32 + Upgrade: h2,h2c the same day — matches the public dork intext:"Apache/2.4.66" "HTTP/2".

Day 1 brought 22 FP firings (the python-h2-library UA pcre was too broad, catching cloud-secrets hunters, MCP probers, and Elasticsearch enumerators); the rule was tightened to rev:2 same day. Day 2 telemetry confirmed the fix: zero firings, silence is the right answer until a real h2-library exploit kit shows up.

Full timeline at /honeypot-data/cve-2026-23918-hunt.

The background — CVEs that have been around long enough they’re a constant

CVE-2024-21762 FortiOS SSL-VPN heap overflow — the FortiGate-honeypot perennial

16 months after the patch, still the single most-probed FortiOS vulnerability. The /lang/legacy/filechecksum + /migadmin/lang/legacy/legacy/filechecksum pair shows up on the FortiGate honeypot every few days from different sources. Detail and a representative day at /honeypot-data/fortigate-honeypot.

CVE-2014-3692 Linksys/Cisco tmUnblock.cgi — 12-year-old router CGI exploit, still hot

The rondo actor we’ve been tracking through the PAN-OS hunt spent the T+16/T+17 window hitting this on port 8080 — same UA (Mozilla/5.0 ([email protected])), different target surface. The fact that a 2014 router-CGI exploit is still part of an active polyglot scanner’s rotation says everything about what the long tail of unpatched IoT looks like. ET signatures 2018132 / 2026102 / 2068292 fire on these probes; we additionally fire 9026311 / 9026312 (rondo UA literal + email-shape UA self-doxxing).

EternalBlue SMBv1 RCE — the eternal background

~184K SMB-protocol events in 7 days across the fleet. The EternalBlue-shaped subset (SMB Tree Connect to IPC$ followed by the canonical session-setup + transaction sequence on FID 0xC000) is still the dominant SMB attack pattern eight years after WannaCry. GPL signatures 2102465 / 2102466 fire on the IPC$ share access. We answer with the right SMB2 negotiate response so the attacker keeps probing; we never answer the actual exploit transaction.

Log4Shell JNDI injection — still in every kit’s default wordlist

~150 hits in 30 days where the HTTP request includes a ${jndi:ldap:// / ${jndi:rmi:// template in a header (User-Agent, X-Forwarded-For, Cookie) or in URL parameters. Four years after disclosure, the kits haven’t bothered removing it — if it costs nothing to include and works on the rare unpatched JVM, why would they.

What didn’t show up

Worth flagging by absence: zero CVE-2025-32756 / FortiWeb chain probes in this 30-day window, zero CVE-2024-3400 GlobalProtect command-injection attempts since 2026-05-15, and zero PrintNightmare SMB events. The kit operators move on quickly — once wave-1 mass-exploitation is done and the unpatched targets are burned, the relevant CVE rotates out of the active rotation list within months.

Want the timeline / hunt detail?

CVE-2026-0300 hunt — PAN-OS captive portal, T+17
CVE-2026-42945 hunt — NGINX Rift, Day 6
CVE-2026-23918 hunt — Apache mod_http2, Day 2
FortiGate honeypot — FortiOS CVE leaderboard
PAN-OS honeypot — pre-CVE-0300 baseline