
Blog · 2026-07-08
Weekly threat report: June 29 to July 5, 2026
CVE-2026-34197 (KEV) probed by 421 IPs; port 33 lit up with 179,369 events. Most-hit ports, exploit paths to grep your logs for, and delivered malware. 2,710,022 events from 25,986 IPs, June 29 to July 5, 2026.
Sensors recorded 2,710,022 events from 25,986 unique IPs in the week of June 29 to July 5, 2026, up 17% on the week before. Below: what changed, and what to check your own perimeter and logs for.
What changed
- Port 33 logged 179,369 events after a quiet prior week (16 events).
- Port 39131 logged 80,452 events after a quiet prior week (9 events).
- Port 8190 went from 823 to 121,950 events (148x).
- AS61675 (GRANDE REDE TELECOM EIRELLE) was near-silent the week before, then sent 179,313 events from a single IP.
KEV and recent CVEs in probe traffic
Known-exploited (KEV) and recent CVEs whose exploit patterns showed up in this week's traffic, with how many distinct IPs probed for each. NEW means not seen the week before. The IP counts link to the live matching events.
| CVE | Title | Probing IPs | Events |
|---|---|---|---|
| CVE-2026-34197 KEV | Apache ActiveMQ - Remote Code Execution | 421 | 968 |
| CVE-2026-41940 KEV | cPanel & WHM - Authentication Bypass via Session-File CRLF Injection | 34 | 117 |
| CVE-2025-64328 KEV | FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection | 14 | 48 |
| CVE-2024-4577 KEV | PHP CGI - Argument Injection | 177 | 234 |
| CVE-2021-34473 KEV | Exchange Server - Remote Code Execution | 12 | 12 |
| CVE-2018-10561 KEV | GPON Router Command Injection | 8 | 8 |
| CVE-2026-3396 | WCAPF WooCommerce Ajax Product Filter - SQL Injection | 693 | 1,097 |
| CVE-2026-4020 | Gravity SMTP WordPress Plugin - Sensitive Information Exposure | 578 | 2,776 |
Paths to grep for
The most broadly probed URL paths of the week, ranked by how many distinct IPs requested them. If any of these return a 200 in your access logs, look closer.
| Path | IPs | Events |
|---|---|---|
/.git/config |
741 | 1,331 |
/sitemap.xml |
730 | 13,781 |
/.well-known/security.txt |
728 | 14,907 |
/login |
686 | 4,741 |
/project/.git/config |
683 | 1,019 |
/www/.git/config |
682 | 1,018 |
/blog/.git/config |
682 | 1,018 |
/assets/.git/config |
682 | 1,020 |
/code/.git/config |
682 | 1,001 |
/html/.git/config |
682 | 997 |
Most-hit ports
Change labels are against the prior week. Pivot into any port's live events: 9443, 443, 33, 8240, 8190.
Malware delivered
Payloads captured by the sensors and identified on VirusTotal. One representative hash per family.
| Family | Sample (VT) | Deliveries | Source IPs |
|---|---|---|---|
| unclassified | 6595029e3a3f6918 |
25 | 19 |
| mirai | f6c97b1e2ed02578 |
8 | 4 |
| ddosagent | a30e4dc6895145fe |
4 | 1 |
| bash | 3d266ba060261b8e |
2 | 1 |
| r774003 | 8196589edd7baca1 |
2 | 1 |
The IPs behind everything above are in the feeds, updated continuously. Pivot on any number at the lookup page, or wire the data into an agent over MCP. This report is generated from sensor data every Monday; subscribe below to get it by email.