HoneyLabs

Blog · 2026-07-08

Weekly threat report: June 29 to July 5, 2026

CVE-2026-34197 (KEV) probed by 421 IPs; port 33 lit up with 179,369 events. Most-hit ports, exploit paths to grep your logs for, and delivered malware. 2,710,022 events from 25,986 IPs, June 29 to July 5, 2026.


Sensors recorded 2,710,022 events from 25,986 unique IPs in the week of June 29 to July 5, 2026, up 17% on the week before. Below: what changed, and what to check your own perimeter and logs for.

What changed

KEV and recent CVEs in probe traffic

Known-exploited (KEV) and recent CVEs whose exploit patterns showed up in this week's traffic, with how many distinct IPs probed for each. NEW means not seen the week before. The IP counts link to the live matching events.

CVE Title Probing IPs Events
CVE-2026-34197 KEV Apache ActiveMQ - Remote Code Execution 421 968
CVE-2026-41940 KEV cPanel & WHM - Authentication Bypass via Session-File CRLF Injection 34 117
CVE-2025-64328 KEV FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection 14 48
CVE-2024-4577 KEV PHP CGI - Argument Injection 177 234
CVE-2021-34473 KEV Exchange Server - Remote Code Execution 12 12
CVE-2018-10561 KEV GPON Router Command Injection 8 8
CVE-2026-3396 WCAPF WooCommerce Ajax Product Filter - SQL Injection 693 1,097
CVE-2026-4020 Gravity SMTP WordPress Plugin - Sensitive Information Exposure 578 2,776

Paths to grep for

The most broadly probed URL paths of the week, ranked by how many distinct IPs requested them. If any of these return a 200 in your access logs, look closer.

Path IPs Events
/.git/config 741 1,331
/sitemap.xml 730 13,781
/.well-known/security.txt 728 14,907
/login 686 4,741
/project/.git/config 683 1,019
/www/.git/config 682 1,018
/blog/.git/config 682 1,018
/assets/.git/config 682 1,020
/code/.git/config 682 1,001
/html/.git/config 682 997

Most-hit ports

Most-hit ports of the week, with week-over-week change

Change labels are against the prior week. Pivot into any port's live events: 9443, 443, 33, 8240, 8190.

Malware delivered

Payloads captured by the sensors and identified on VirusTotal. One representative hash per family.

Family Sample (VT) Deliveries Source IPs
unclassified 6595029e3a3f6918 25 19
mirai f6c97b1e2ed02578 8 4
ddosagent a30e4dc6895145fe 4 1
bash 3d266ba060261b8e 2 1
r774003 8196589edd7baca1 2 1

The IPs behind everything above are in the feeds, updated continuously. Pivot on any number at the lookup page, or wire the data into an agent over MCP. This report is generated from sensor data every Monday; subscribe below to get it by email.

The weekly threat report

One email every Monday: which ports moved week over week, which KEV and recent CVEs are being probed in the wild, and the attack paths worth grepping your own logs for. Here is a real issue. Research write-ups like this one ride along when they land.

Double opt-in: we send one confirmation email and nothing else until you click it. Unsubscribe in one click, any time.