Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit Trends (2025–2026)
Between May 2025 and May 2026, a global network of honeypots recorded over 9.2 million security events originating from 54,000 unique IP addresses across 163 countries, offering a snapshot of evolving cyber threats. The data, collected from strategically deployed decoy systems, highlights sustained attacker interest in vulnerable services, with SSH (75% of events) dominating activity reinforcing the risks of exposing the protocol directly to the internet. Web applications (10%) and SMTP services (10%) followed, while attacks on medical protocols remained negligible.
Top Exploited Vulnerabilities
Nine vulnerabilities stood out for their high exploitation rates, with React2Shell (CVE-2025-55182) a critical flaw in Next.js servers leading the pack. Disclosed in December 2025, it triggered a surge in attacks, with six IP addresses accounting for 90% of December’s activity. Other notable targets included:
- ProxyLogon/ProxyShell/ProxyNotShell (Microsoft Exchange): Persistent exploitation since 2021, leveraging unpatched servers for SYSTEM-level access.
- Shellshock (CVE-2014-6271): A decade-old Bash vulnerability still actively probed for initial access.
- ThinkPHP (CVE-2018-25270): Sustained attacks on the Chinese PHP framework post-2026 disclosure.
- Log4Shell (CVE-2021-44228): Declining but still targeted, reflecting its historical impact.
- Legacy Router Flaws: D-Link Dir-645 (CVE-2015-2051) and Netgear DGN1000/DGN2000 (CVE-2024-12847) saw renewed activity, tied to campaigns like Rondodox.
- CrushFTP (CVE-2025-54309): A single, concentrated attack on October 13, 2025, exploiting a race-condition flaw.
Key Observations
- Web applications faced relentless attacks, with CVEs like React2Shell and ProxyShell driving spikes.
- Routers and IoT devices remained prime targets, often via decade-old vulnerabilities.
- Exploit timelines varied: Some flaws (e.g., CrushFTP) saw brief, intense campaigns, while others (e.g., Shellshock) endured as persistent threats.
- Attacker behavior aligned globally, with honeypot operators reporting similar patterns.
The data underscores the longevity of high-impact vulnerabilities and the risks of unpatched systems, even years after disclosure. Honeypots continue to serve as critical tools for detecting emerging threats and attacker methodologies.
Source: https://www.stormshield.com/news/current-cyberattack-trends-variations-honeypots/
NETGEAR cybersecurity rating report: https://www.rankiteo.com/company/netgear
Vercel cybersecurity rating report: https://www.rankiteo.com/company/vercel
D-Link cybersecurity rating report: https://www.rankiteo.com/company/dlink-corp
The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "NETVERDLITHE1780583187",
"linkid": "netgear, vercel, dlink-corp, the-apache-software-foundation",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity Research',
'location': 'Global (163 countries)',
'name': 'Global honeypot network',
'type': 'Decoy systems'}],
'attack_vector': ['SSH', 'Web Applications', 'SMTP', 'Legacy Protocols'],
'date_detected': '2025-05-01',
'date_publicly_disclosed': '2026-05-01',
'description': 'Between May 2025 and May 2026, a global network of honeypots '
'recorded over 9.2 million security events originating from '
'54,000 unique IP addresses across 163 countries, highlighting '
'evolving cyber threats. The data revealed sustained attacker '
'interest in vulnerable services, with SSH (75% of events) '
'dominating activity, followed by web applications (10%) and '
'SMTP services (10%). Nine vulnerabilities were heavily '
'exploited, including React2Shell (CVE-2025-55182), '
'ProxyLogon/ProxyShell/ProxyNotShell, Shellshock, ThinkPHP, '
'Log4Shell, and legacy router flaws.',
'impact': {'systems_affected': 'Decoy honeypot systems'},
'investigation_status': 'Completed (Research Analysis)',
'lessons_learned': 'The data underscores the longevity of high-impact '
'vulnerabilities and the risks of unpatched systems, even '
'years after disclosure. Honeypots serve as critical tools '
'for detecting emerging threats and attacker '
'methodologies.',
'post_incident_analysis': {'corrective_actions': 'Implement patch management, '
'restrict SSH access, and '
'deploy honeypots for threat '
'detection.',
'root_causes': 'Unpatched vulnerabilities, exposed '
'SSH services, and legacy system '
'exploitation.'},
'recommendations': 'Patch high-impact vulnerabilities promptly, avoid '
'exposing SSH directly to the internet, and monitor legacy '
'systems for exploitation attempts.',
'references': [{'source': 'Honeypot Data Report (2025–2026)'}],
'title': 'Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit '
'Trends (2025–2026)',
'type': ['Exploit Trends', 'Vulnerability Exploitation'],
'vulnerability_exploited': ['CVE-2025-55182 (React2Shell)',
'ProxyLogon/ProxyShell/ProxyNotShell (Microsoft '
'Exchange)',
'CVE-2014-6271 (Shellshock)',
'CVE-2018-25270 (ThinkPHP)',
'CVE-2021-44228 (Log4Shell)',
'CVE-2015-2051 (D-Link Dir-645)',
'CVE-2024-12847 (Netgear DGN1000/DGN2000)',
'CVE-2025-54309 (CrushFTP)']}