RESEARCH — PUBLISHED AS WE CAPTURE IT UPDATED 2026-07-09

Field notes from the fleet

Threat breakdowns, vulnerability analysis, and what our honeypots are catching — written for the small teams defending the places that matter most.

FILTER ALL VULNERABILITY FLEET NOTES ACTIVE EXPLOITATION
VULNERABILITY FEATURED 2026-07-09 · CVE-2026-11405 · CERT/CC VU#213560
A hidden password that lets anyone in: CVE-2026-11405
Several Tenda router firmware builds ship with an undocumented second password: when the normal login fails, the device checks a hidden value and hands full admin to any username that matches. No patch, vendor unreachable, public PoC circulating — on the cheap routers at the edge of small utilities, farms, and facilities.
Read the analysis →
pre-auth no valid login needed
role=2 full admin granted
no patch vendor not reachable
VULNERABILITY 2026-07-08 CVE-2026-8451: CitrixBleed comes back to the NetScaler front doorA pre-authentication memory overread in NetScaler appliances configured as SAML identity providers: a malformed login makes the box leak fragments of its own memory. Already under active exploitation on the appliances that front remote access into hospitals, utilities, and plant networks. Read → VULNERABILITY 2026-07-05 CVE-2026-13768: one hard-coded cloud key, an entire fleet of gardensA hard-coded, owner-level Azure IoT Hub key shipped on every Gardyn indoor garden: one extracted key enumerates the entire device fleet, runs commands on any unit, and pivots onto the owner's home network. CISA rated it a perfect 10.0. Read → FLEET NOTES 2026-07-01 June fleet report: the Bestiary gains two new archetypesWhat 7M+ events taught us this month — including the first sustained agentic-attacker sessions we've captured and why the Nuisance Scanner population doubled. Read →
Deception Check mark © 2026 Deception Check, Inc.
Home Bestiary Waitlist