Current cyberattack trends and variations: what our honeypots reveal

Preamble

The use of honeypots is a fundamental component of cybersecurity. They provide valuable insights into ongoing attack activity and emerging cyber threats.

Some honeypots are highly sophisticated and designed to encourage deep interaction from malicious actors. They are particularly useful for understanding attacker methodologies throughout the intrusion and exploitation phases. Such systems are typically intended to monitor organized threat groups conducting real-world attack campaigns. However, by design, these honeypots are complex to deploy and maintain. Most importantly, they are generally limited to a restricted technological perimeter.

More general-purpose honeypots, on the other hand, are less likely to capture advanced attack behavior. However, they are capable of collecting data at a very large scale. The indicators of compromise they provide represent a major source of intelligence for security solutions and detection systems. These honeypots are now extremely common. Some critics argue that they distort the perceived exposure of vulnerable services on the Internet. Nevertheless, honeypots remain highly valuable because they represent a distinct category compared to traditional publicly accessible services. A legitimate user is not expected to connect to them. As a result, incoming connections are rarely accidental. They are almost always generated by automated tools scanning IP ranges for exposed services. Although such activity is not always initiated with malicious intent, it is frequently associated with attempts to identify and exploit application vulnerabilities, which may later serve as the initial vector for deeper attacks.

For this reason, we present here a retrospective analysis of the activity recorded on our honeypots between May 2025 and May 2026. We will focus specifically on vulnerability exploitation attempts in order to identify trends within the perimeter we monitor.

General activity

For security reasons, we prefer not to disclose the locations of our honeypots. However, after one year of activity, we recorded the following cumulative data:

• 9,200,000 security events
• 54,000 source IP addresses
• 163 source countries

The targeted services are distributed as follows:

• SSH (75% of events): Activity targeting this service is extremely intense. Its analysis alone would deserve a dedicated article. In the meantime, one recommendation remains clear: never expose SSH directly to the Internet unless absolutely necessary. An exposed instance is likely to be targeted almost immediately.
• Web HTTP/S (10% of events): This category includes most CVE exploitation attempts against web applications, as well as reconnaissance and environment discovery activities. We will examine this perimeter in greater detail throughout this article.
• SMTP (10% of events): We observed a large number of SMTP Open Relay exploitation attempts. However, direct attacks against the service itself, as well as malicious attachment delivery attempts, remained relatively limited.
• Medical protocols (0.01% of events): Activity targeting these protocols was surprisingly low during the monitored period.

Aside that general activity, we will now detail those more advanced attack attempts, which imply vulnerabilty exploits.

Vulnerabilities Exploit Assessment

Meter Readings

If we restrict our analysis to direct CVE exploitation attempts, we identify a group of nine attacks that clearly stand out from the overall activity, particularly those targeting web applications and routers. Each exploit follows its own rhythm, sometimes characterized by significant spikes in activity, which we will examine later in this article. However, the clear leader during the monitored period was React2Shell (CVE-2025-55182). Indeed, services based on Next.js were massively targeted throughout December 2025.

Figure 1: List of Spotted Attacks

09 - Log4Shell (CVE-2021-44228)

CVSS: 10 / Published Date: December 2021

Since its disclosure, Log4Shell has become a classic target for vulnerability exploitation. However, aside from a few activity spikes, the volume of attacks targeting this CVE has remained relatively low compared to the scale and impact of the vulnerability itself. This may indicate that exploitation attempts are gradually declining. Nevertheless, given the widespread presence of vulnerable systems and the historical significance of Log4Shell, we will continue to monitor its activity closely in the coming months.

Figure 2: Log4Shell Exploit Attempts

08 - ownCloud (CVE-2023-49103)

CVSS: 10 / Published Data: November 2023

We previously discussed CVE-2023-49103, a vulnerability that allows an attacker to retrieve sensitive information from an ownCloud server, including administrator passwords, license keys... The vulnerability still appears to be exploited. This is illustrated by the noticeable spike in exploitation attempts observed between February and March, suggesting that vulnerable systems remain exposed and continue to be actively targeted.

Figure 3: Exploit Attempt on CVE-2023-49103 from ownCloud

07 - D-Link Dir-645 (CVE-2015-2051)

CVSS: 10 / Publication Date: February 2015

This router is still occasionally targeted through an exploit dating back to... 2015. As a result, connecting such a device to the Internet without updating its firmware can expose it to significant risks. The activity spikes observed since October may be linked to the Rondodox campaign.

Figure 4: Exploit Attempts on CVE-2015-2051 For D-Link Dir-645

06 - CrushFTP (CVE-2025-54309)

CVSS: 9.8 / Publication Date: May 2025

This case is particularly interesting, as it consists of a single but highly concentrated attack campaign targeting CrushFTP servers through the exploitation of CVE-2025-54309. On 13 October 2025, we recorded nearly 200 exploitation attempts originating from the IP address 83.204.143.43. The activity lasted for only seven minutes before abruptly stopping. Not really surprising as the vulnerability relies on a race condition, a type of flaw that is inherently more difficult to exploit at scale. Successful exploitation generally requires a large number of requests to be sent within a very narrow time window, making mass exploitation less efficient for attackers. As for the timing, the attack occurred only a few days after a public Proof of Concept (PoC) was released.

Figure 5: Exploit Attempts on CVE-2025-54309 For CrushFTP

05 - Netgear DGN1000 / DGN2000 (CVE-2024-12847)

CVSS: 9.8 / Publication Date: June 2013

This vulnerability is another particularly unusual case. Although the underlying flaw was originally disclosed in 2013, it was only officially assigned a CVE identifier eleven years later. An attacker can exploit this vulnerability to bypass authentication mechanisms and execute commands with root privileges, potentially leading to a full compromise of the affected system. A significant proportion of the exploitation attempts we observed originated from the following IP addresses:

• 159.99.95 (15.9%)
• 88.186.85 (14.5%)
• 88.186.32 (8.7%)
• 198.131.83 (8.0%)
• 26.115.195 (4.3%)
• 199.72.27 (2.9%)
• 153.34.156 (2.9%)

Figure 6: Exploit Attempts on CVE-2024-12847 for Netgear DGN1000/DGN2000

04 - Shellshock (CVE-2014-6271)

CVSS: 9.8 / Publication Date: September 2014

This vulnerability sent shockwaves through the cybersecurity community when it was disclosed in 2014. It is therefore not surprising to see attackers continuously probing for systems that still expose an unpatched Bash service. Because some web application stacks directly invoke Bash, exploiting this vulnerability can provide attackers with a straightforward path to initial access. As a result, even years after its disclosure, it remains a recurring target in Internet-wide scanning and exploitation campaigns.

Figure 7: Exploit Attempts on Shellshock

03 - ThinkPHP (multiples CVE)

CVSS: 9.8 (CVE-2018-25270) / Publication Date: April 2026

This PHP development framework, which is particularly popular in China, is regularly targeted by attackers due to the remote code execution opportunities offered by several of its vulnerabilities. This trend became even more pronounced following the publication of CVE-2018-25270 in April 2026. Since then, we have observed a sustained level of exploitation attempts against exposed instances. We will monitor its future evolution.

Figure 8: Exploit Attempts on ThinkPHP Vulnerabilities

02 - Proxylogon - Proxyshell - ProxyNotShell

CVSS: 9.8 (ProxyLogon, ProxyShell), 8.8 (ProxyNotShell) / Publication Date: February 2021 (ProxyLogon), July 2021 (ProxyShell), September 2022 (ProxyNotShell)

This chain of vulnerabilities has been regularly exploited since its disclosure in 2021, and since 2022 for the ProxyNotShell variant. When successfully exploited, it allows an attacker to gain control of an unpatched Microsoft Exchange server with SYSTEM-level privileges. As email servers are often critical assets within an organization's infrastructure, these vulnerabilities provide an attractive initial access vector for attackers. Combined with the relatively straightforward exploitation process, this explains why exploitation attempts have remained frequent and persistent over time. Given the strategic importance of Exchange servers and the potential impact of a compromise, it is unsurprising that these vulnerabilities continue to be heavily targeted years after their initial disclosure.

Figure 9: Exploit Attempts on ProxyLogon - ProxyShell - ProxyNotShell

01 - React2Shell (CVE-2025-55182 et CVE-2025-66478)

CVSS: 10 / Publication Date: December 2025

This vulnerability allows an attacker to obtain a shell on a Next.js web server with the privileges of the service account. Published in December 2025, it unsurprisingly generated a significant spike in exploitation attempts during the same month. Activity then gradually declined as organizations deployed patches and mitigations. Nevertheless, a persistent background level of exploitation attempts can still be observed. We will see if it will stand the test of time.

A huge part of december attacks came from those 6 IP addresses only:

• 142.147.209 (35.6%)
• 209.159.158 (26.1%)
• 86.107.35 (14.2%)
• 214.55.246 (6.2%)
• 187.35.21 (4.9%)
• 12.180.207 (3.3%)

Figure 10: Exploit Attempt Using React2Shell Vulnerability

Conclusions

When we compare our findings with those reported by other organizations operating honeypots, we observe strong similarities in both the types of attacks and their overall patterns. This allows us to draw several conclusions:

• Attacks targeting web applications are constant and sustained.
• Vulnerabilities with a high exploitation potential, such as ProxyShell, Shellshock, and Log4Shell, continue to be actively targeted, sometimes more than a decade after their disclosure.
• Routers and IoT devices remain under continuous attack.
• Exposing an SSH service directly to the Internet remains extremely risky.

To mitigate these threats, systems must be updated regularly. This remains one of the most fundamental principles of cybersecurity. Of course, the challenge of zero-day vulnerabilities persists, as they are, by definition, impossible to predict and may be exploited before patches become available. However, honeypots can once again prove valuable in this context. They help identify suspicious behaviors, unknown attack patterns, and emerging exploitation attempts, providing defenders with early indicators of new threats.