Patient Zero: A Self-Replicating HTTP Exploit Chain Captured by Honeypot
Our HTTP honeypot captured a self-replicating exploit chain in the wild: 46 requests in 16 seconds, six different vulnerability families, and a payload designed to turn every compromised server into a new scanner. CGI shell injection, CVE-2024-4577, PHPUnit eval-stdin across 37 path variations, ThinkPHP RCE, pearcmd file inclusion, and a Docker API probe. Each exploit carries an MD5 verification canary. Each successful infection spawns a copy of itself. This is not a tool. It is a contagion.
