KEVSEC Weekly Intelligence Report — June 4, 2026

This KEVSEC Weekly Intelligence Report covers the period ending June 4, 2026. Active threat sensor infrastructure recorded 123 inbound probe attempts from 15 unique source IPs across the reporting window. The SSH tarpit neutralized 565 unique scanner IPs, consuming 23.0 hours of adversary connection time. 34 IPs were permanently banned following honeypot engagement. The cumulative nftables blocklist now stands at 3,568,966 permanently blocked addresses.

Key intelligence findings this cycle: 20 vulnerability disclosures tracked by NVD including 6 Critical-rated CVEs; state-affiliated probe activity attributed to Pakistan infrastructure. Full analysis across cyber threat intelligence, infrastructure defense metrics, vulnerability landscape, global events, and government intelligence follows.

Over the past seven days, the KEVSEC honeypot and network sensor infrastructure logged 123 inbound probe attempts from 15 unique IP addresses — a steady tempo consistent with broad opportunistic reconnaissance campaigns. The activity spans automated SSH brute-force sweeps, HTTP vulnerability scanners, and targeted probes against exposed management interfaces, reflecting the persistent baseline noise of internet-facing infrastructure.

State-affiliated infrastructure contributed a measurable share of inbound activity. The top nation-state sources by probe volume were: 🇵🇰 Pakistan (3 recorded hits via Cyber Internet Services (Pvt) Ltd.). Attribution to state actors is based on autonomous system ownership as resolved through BGP routing data — it reflects infrastructure origin, not necessarily direct government sponsorship of individual scanning operations.

At the autonomous system level, the highest-volume sources were: Google Cloud Platform (97 hits); Google LLC (9 hits); GoDaddy.com, LLC (3 hits); Cyber Internet Services (Pvt) Ltd. (3 hits). The presence of cloud hosting providers and residential ISPs within the top sources underscores how threat actors leverage commodity infrastructure to distribute scanning operations and complicate attribution.

The vulnerability front saw 6 notable disclosures this reporting period, including 6 rated Critical and 0 rated High. The highest-priority finding was CVE-2026-41553 (CVSS 10.0) — PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanit. Defenders are advised to prioritize patching based on EPSS exploitation probability scores alongside raw CVSS severity ratings.

The KEVSEC endlessh SSH tarpit has processed 565 unique adversary IP addresses and consumed a cumulative 23.0 hours of attacker connection time since deployment — including 23.0 hours in this reporting period alone. The tarpit operates by accepting SSH connections on port 22 and deliberately delaying the protocol handshake, tying up scanner threads and consuming attacker resources without providing any authentication surface. Tarpit data feeds directly into the nftables permanent blocklist — identified scanner IPs are automatically flagged for injection into the deny ruleset, preventing future connection attempts.

The HTTP honeypot layer logged 123 probe attempts from 15 unique IPs during this period. 34 IPs triggered automatic permanent bans via the honeypot engagement pipeline. Monitored honeypot paths include common WordPress admin panels, phpMyAdmin instances, environment file endpoints, Git configuration directories, and known CVE-targeted paths — all designed to catch automated exploitation frameworks and manual attackers alike.

Fail2ban enforcement triggered across 4 active jails this cycle. Top jail activity by ban count: honeypot-probe (10 bans); sshd-root (10 bans); sshd (6 bans); honeypot-trap (4 bans). The sshd and sshd-root jails represent brute-force credential attacks against the management interface; honeypot-probe and honeypot-trap jails capture HTTP-layer exploitation attempts.

The nftables blacklist enforced 15 logged block events across 1 enforcement sources. Block sources: HONEYPOT (15).

Cumulative platform metrics: 3,568,966 IPs permanently blocked in the nftables deny ruleset; 385 total probe events logged across all sensor layers since deployment. The permanent blocklist is maintained as a compiled nftables set and is reloaded hourly from the consolidated blacklist — ensuring minimal performance overhead while providing comprehensive pre-connection blocking.

The National Vulnerability Database published or updated 8 significant vulnerabilities during this reporting window — 6 rated Critical and 2 rated High. EPSS (Exploit Prediction Scoring System) probability data, where available, is included to help prioritize remediation efforts against actively exploited or exploit-imminent weaknesses.

CVE-2026-41553 (CVSS 10.0, CRITICAL, published 2026-05-15): PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the maliciou EPSS exploitation probability: 34.0%.

CVE-2026-44774 (CVSS 9.9, CRITICAL, published 2026-05-15): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the RES EPSS exploitation probability: 2.0%.

CVE-2026-5229 (CVSS 9.8, CRITICAL, published 2026-05-15): The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which Wo EPSS exploitation probability: 14.0%.

CVE-2026-45772 (CVSS 9.8, CRITICAL, published 2026-05-15): Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted reposit EPSS exploitation probability: 10.0%.

CVE-2020-37228 (CVSS 9.8, CRITICAL, published 2026-05-16): iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retri EPSS exploitation probability: 10.0%.

Organizations should review their asset inventory against the affected vendors and platforms listed above. Where EPSS scores exceed 10%, treat remediation as urgent regardless of CVSS rating, as probability of observed in-the-wild exploitation is elevated.

Cross-reference: internal red team assessment identified 1 High/Critical findings against platform infrastructure this cycle. See the Red Team Assessment section for full details.

The Global Disaster Alerting and Coordination System (GDACS) flagged 6 significant events during this reporting period, 0 carrying red-level alerts and 0 at the orange threshold. Red alerts indicate high humanitarian impact potential requiring immediate international response coordination.

⚠ Green flood alert in Türkiye (GREEN alert, Türkiye): FL event logged Tue, 02 Ju.

⚠ Green forest fire notification in Australia (GREEN alert, Australia): WF event logged Thu, 04 Ju.

⚠ Green forest fire notification in Australia (GREEN alert, Australia): WF event logged Thu, 04 Ju.

⚠ Green forest fire notification in Australia (GREEN alert, Australia): WF event logged Thu, 04 Ju.

USGS seismic monitoring recorded 5 significant earthquakes this week. The highest-magnitude event was a M6.2 near 22 km WSW of Scarcelli, Italy, registered 2026-06-01 5:12 PM CT. Events above M6.0 in densely populated regions are tracked for potential secondary effects on critical infrastructure, supply chains, and regional stability.

NIFC wildfire monitoring reports 6 active wildfires across the United States covering approximately 130,869 total acres. Largest active incidents: Herman Ranch (KS, 35,455 acres, 90% contained); Pineland Road (GA, 32,031 acres, 98% contained); SEVEN CABINS (NM, 31,867 acres, 64% contained); Hwy 82 (GA, 22,419 acres, 98% contained). Active wildfires in populated regions are tracked for potential air quality impacts, infrastructure disruption, and emergency services strain that may degrade local response capabilities.

NOAA Space Weather Prediction Center reports current geomagnetic activity at Kp=0.0 (0Z) — conditions are quiet (nominal conditions). No active SWPC alerts during this reporting period. Elevated geomagnetic activity (Kp≥5) can impact HF communications, satellite navigation accuracy, and high-latitude power grid stability — relevant for emergency communications planning and critical infrastructure operators.

White House and presidential activity tracked during this reporting period reflects the following developments: "Strengthening Customs Enforcement" | "Implementing Schedule Policy/Career in the Excepted Service" | "Trump strips job protections from 8,000 federal workers - NPR". Presidential movements and official actions are catalogued from White House RSS feeds and corroborating news sources to provide an unfiltered activity record.

Additional government intelligence from Pentagon, DHS, State Dept captures the broader policy and operations picture. "Army cuts training as service is short billions of dollars - ABC News - Breaking News, Latest News and Videos"; "War Department Continues to Encourage Civilians to Augment Homeland Security Border Mission - U.S. Department of War (.gov)"; "Duckworth Grills Secretary Rubio on State Department Cuts That Undermine Diplomacy and Make Americans Less Safe - Suburban Chicagoland".

The 119th Congress is currently in session. Current composition: House 220R/213D; Senate 53R/45D. Active legislative items tracked this week: "A Growing Share of Federal Spending Escapes Regular Congressional Review - Bipartisan Policy Center"; "Defense Funding Put in Context-2026-05-27 - Committee for a Responsible Federal Budget"; "House passes housing affordability bill that softens institutional investor ban - CNN"

Automated red team assessment of https://kevsec.com completed 2026-05-31T03:00:24.943371. Scan returned 0 Critical, 1 High, 3 Medium, 1 Low, and 39 informational findings. Overall posture: HIGH-PRIORITY FINDINGS PRESENT. The KEVSEC platform performs weekly automated security assessments against its own externally-facing infrastructure, correlating findings against known-good baseline configurations to identify drift, misconfigurations, or newly exposed attack surface.

Actionable findings this cycle:

[MEDIUM] Auth — Login rate limiting may not be active (test inconclusive from localhost): Could not trigger lockout in 7 attempts — verify _check_rate_limit is wired to login route

[MEDIUM] SSH — Password authentication enabled on SSH: PasswordAuthentication yes

[MEDIUM] SSH — Password authentication enabled on SSH: PasswordAuthentication yes

[HIGH] Firewall — nftables may not be applying rules: Log check failed and nft list tables returned error: Command '['sudo', 'nft', 'list', 'tables']' timed out after 8 seconds

23 security controls confirmed in-place during this assessment cycle. Verified controls include: strict-transport-security; content-security-policy; x-frame-options; x-content-type-options; referrer-policy; permissions-policy; Env file exposed: /.env → HONEYPOT ACTIVE; Git repo exposed: /.git/config → HONEYPOT ACTIVE.

Red team findings are triaged weekly. Critical and High findings trigger immediate remediation workflows. Medium findings are tracked in the configuration backlog. All findings are re-assessed on the following cycle to confirm remediation.

From an analyst standpoint, this reporting period reinforces several persistent trends worth monitoring. Scanning pressure from Pakistan-attributed infrastructure remains consistent — no significant surge, but no decline either.

Vulnerability priority should center on CVE-2026-41553 and any assets running affected software versions. Organizations running unpatched internet-facing systems against this week's Critical disclosures should treat those systems as compromised until verified otherwise.

The political intelligence picture continues to evolve with frequent executive activity. Downstream policy effects on regulatory posture, federal IT procurement, and agency operational tempo remain areas to watch in subsequent reporting cycles.

Infrastructure defense posture remains active. The tarpit consumed 23.0 hours of adversary time this week alone — a passive but meaningful drain on automated scanning resources targeting this platform. Consistent tarpit engagement without escalation suggests adversaries have not flagged this infrastructure as a high-value target warranting manual follow-up, though this assessment should be revisited if targeted probe patterns emerge.

Environmental conditions bear monitoring: 6 active wildfires are currently burning across the US. Wildfire incidents of sufficient scale can stress emergency communications infrastructure, trigger emergency management coordination activity, and create information operations opportunities around disaster response narratives.

KEVSEC reports are generated weekly from live sensor data, open-source intelligence feeds, and public government sources. Data reflects conditions at the time of generation and should be supplemented with direct-source verification for operational decisions.