One of our engineers was reviewing our telemetry dashboard when he came across something unusual: 

A tight cluster of red dots — each one representing a malicious IP — lighting up a rural patch of New Mexico: 

‍

‍

Nothing unusual about botnet traffic. But this time, dozens of malicious IPs were all coming from a single region with a population of just over 3,000 people. 

It didn’t fit the pattern. So we dug in. 

‍

Starting with a Single IP

We zoomed into the map and picked up the first IP: 137.118.82.76. 

It had a troubling combination of GreyNoise tags: 

• Telnet Bruteforcer
• Generic IoT Default Password Attempt
• Mirai 
• D-Link Hardcoded Telnet Attempt

This wasn’t just a misconfigured device — it looked like a system actively participating in a botnet. 

So we pulled the thread. 

‍

A Utility at the Center — and AI in the Loop

Zooming out, we found ~90 IPs in the same New Mexico region, all tied to a single provider: Pueblo of Laguna Utility Authority. 

100% of this traffic was Telnet-based. 

To dig deeper, we used our internal tooling — including the GreyNoise Model Context Protocol (MCP) server (an AI-powered analysis environment) — to iterate quickly on investigation paths. 

We fed IP metadata and network behavior into Claude, exploring ideas in real time. We then used Censys infrastructure data and tshark packet captures to enrich the dataset. 

This AI-powered analysis helped confirm that many of the systems were VOIP-enabled devices.

While we did not identify exact device models for each system, enrichment suggested hardware from Cambium Networks was likely involved in a portion of the activity. 

It wasn’t a one-off misconfiguration — it appeared to be a coordinated cluster of similar systems likely running comparable stacks. 

‍

Tracing it Globally

After confirming the localized activity, we widened the investigation. 

Using GreyNoise tags, behavioral similarity, and Telnet traffic patterns, we identified about 500 IPs globally exhibiting similar traits: 

• A unique JA4t signature — 5840_2-4-8-1-3_1460_1 — representing 90% of the traffic from this ISP, indicating the hardware is similar across compromised hosts. 
• Telnet login attempts using weak or default credentials 
• High session volumes
• Scanning behavior aligned with known Mirai variants 

Some of these IPs were linked to VOIP-capable devices and shared similar infrastructure characteristics — suggesting a wider class of exposed systems is being targeted for botnet activity. 

‍

Why VOIP? Why Now?

VOIP devices often run on older Linux-based firmware, sometimes with Telnet exposed by default. They’re also frequently:

• Internet-facing
• Lightly monitored 
• Infrequently patched

Some Cambium routers, for example, may still be running firmware versions impacted by a known remote code execution (RCE) vulnerability from 2017. 

While we did not confirm exploitation of that CVE in this case, the activity reinforces a broader point: Vulnerabilities remain part of the attack surface long after disclosure. 

We recently explored this dynamic in our latest report on resurgent vulnerabilities, where we highlight how long-patched flaws in edge devices are repeatedly targeted. 

‍

Then It Stopped

Shortly after a member of our team posted a brief mention of the activity on social media, the traffic from the New Mexico utility dropped off — completely. 

Whether coincidence or evidence that attackers monitor visibility, it was a sharp cutoff. 

And shortly after that, activity spiked yet again and the global behavior continued. 

‍

Why This Matters

• VOIP systems are often overlooked in security monitoring. 
• Small utilities and ISPs may unknowingly contribute infrastructure to global botnets. 
• Mirai-style botnets remain opportunistic, leveraging systems wherever available. 

What started as a spike from a single utility in a rural part of the United States became a lens into an ongoing global pattern — one defenders should track closely. 

‍

Defender Recommendations

• Block IPs involved in this activity. 
• Use GreyNoise to identify if your infrastructure is being conscripted into a botnet.
• Audit Telnet exposure, especially on VOIP-enabled systems.  
• Rotate or disable default credentials on edge and SOHO devices. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{This investigation was sparked by GreyNoise’s keen-eyed Lead Software Engineer Jeff Golden, with contributions from the broader GreyNoise research team.} 

21 July 2025 Update

GreyNoise has received a statement from TeleMessage, stating:

‍CVE-2025-48927 was fully remediated in the TeleMessage environment in early May. That remediation has been independently verified by our third-party cybersecurity partner. As a cloud-native SaaS platform, all fixes were applied centrally, and no action was required by customers. As such, any attempts to exploit CVE-2025-48927 since that time have been unsuccessful.

‍

‍

A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessage^TM SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to archive secure communications. The issue stems from the platform’s continued use of a legacy confirmation in Spring Boot Actuator, where a diagnostic /heapdump endpoint is publicly accessible without authentication. 

If exposed, this endpoint can return a full snapshot of heap memory — roughly 150MB — which may include plaintext usernames, passwords, and other sensitive data. While newer versions of Spring Boot no longer expose this endpoint by default, public reporting indicates that TeleMessage instances continued using the older, insecure configuration through at least May 5, 2025. 

On July 14th, CVE-2025-48927 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

See GreyNoise’s technical writeup here. 

‍

What GreyNoise is Seeing 

As of July 16, GreyNoise has observed 11 IPs attempting to exploit CVE-2025-48927 (tag created July 10). 

Related reconnaissance behavior is ongoing. Our telemetry shows active scanning for Spring Boot Actuator endpoints — a potential precursor to identifying systems affected by CVE-2025-48927. 

• 2,009 IPs have scanned for Spring Boot Actuator endpoints in the past 90 days. 
• 1,582 IPs specifically targeted the /health endpoints — commonly used to detect internet-exposed Spring Boot deployments. 
• GreyNoise has launched a dedicated tag to track scanning tied to this CVE: TeleMessage^TM SGNL Spring Boot Actuator /heapdump Disclosure. 

‍

What to Do

Organizations using Spring Boot — particularly in internal tools or secure messaging environments — should verify whether the /heapdump endpoint is exposed to the internet. 

Recommended actions:

• Block malicious IPs using GreyNoise:
  
  • SPRING BOOT ACTUATOR CRAWLER
  • SPRING BOOT ACTUATOR HEALTH SCANNER
  • TELEMESSAGE TM SGNL SPRING BOOT ACTUATOR /HEAPDUMP DISCLOSURE CVE-2025-48927 ATTEMPT

• Disable or restrict access to the /heapdump endpoint.
• Limit exposure of all Actuator endpoints unless explicitly required. 
• Review deployment configurations and upgrade to a supported version of Spring Boot where secure defaults are enforced. 
• Update TeleMessage^TM SGNL if using that specific application.

‍

GreyNoise will continue monitoring for shifts in scanning behavior and provide updates if exploitation begins. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

---

‍

^{This analysis was led by GreyNoise Researcher Howdy Fisher.} 

‍

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4. 

We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer. 

‍

Key Observations

• First observed activity: June 23, 2025
• PoC released: July 4, 2025
• GreyNoise tag published: July 7, 2025
• CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition) 

‍

‍

‍

Targeted Behavior 

Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting. 

‍

CISA Confirmation 

On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog. 

‍

Recommended Actions

Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts. 

‍

‍

The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

GreyNoise has identified a previously untracked variant of a scraper botnet, detectable through a globally unique network fingerprint. While the botnet uses a simple and easily spoofed user-agent string — Hello-World/1.0 — its real signature lies in the behavior of the devices sending the traffic. 

To detect it, GreyNoise analysts created a signature using JA4+, the suite of JA4 signatures used to fingerprint network traffic. This approach allows analysts to detect traffic based not on what it claims to be, but how it behaves — making it difficult to evade or spoof. 

The signature includes: 

• JA4H (HTTP fingerprint): Captures how HTTP headers are ordered and formatted.
• JA4T (TCP fingerprint): Encodes how a device establishes network connections.

These behavioral fingerprints form a meta-signature that is globally unique to this botnet variant. 

‍

Key Characteristics

• First observed: April 19, 2025.
• Traffic pattern: Repeated GET requests over ports 80-85, evenly distributed. 
• User-agent: Hello-World/1.0

GreyNoise has detected over 3,600 unique IPs matching this signature, geolocated around the world: 

‍

‍

Of these IPs: 

• 1,359 (38%) are classified as malicious.
• 122 (3%) are suspicious.
• 2,114 (59%) are not associated with other known activity. 
• Only 1 benign IP was observed.

Targeted systems are predominantly located in the United States and United Kingdom. 

‍

Concentration in Taiwan

Geographic analysis shows a clear concentration of this botnet’s infrastructure in Taiwan, with:

• 1,934 IPs (54%) originating from Taiwanese networks.
• Followed by Japan (315 IPs, 9%), Bulgaria (265 IPs, 7%), and France (111 IPs, 3%).

The dominance of Taiwanese IP space could suggest:

• A common technology or service deployed widely in Taiwan has been compromised.
• Or that local exposure to a shared vulnerability is driving the clustering. 

‍

What Defenders Should Do

GreyNoise users can track this botnet variant in the Visualizer or via API. We recommend defenders: 

• Block all IPs participating in this botnet variant to prevent automated scraping activity.
• Monitor internal traffic for devices reaching out to or from these IPs.
• Track similar JA4+ signatures (more info here), which may indicate related variants or campaigns. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

^{This analysis was led by GreyNoise Deception Engineer Towne Besel, who developed the detection signature and conducted the underlying research.}

GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28. 

Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs.

‍

‍

‍

These patterns often coincide with new vulnerabilities emerging two to four weeks later.

‍

Key Findings 

• 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days.
• The surge began on May 27 — prior activity was near-zero.
• 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure. 
• Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34). 
• Top destination countries include the United Kingdom, United States, Germany, France, and Mexico. 
• The overwhelming majority of scanner IPs geolocate to the United States. 

‍

Confirmed Exploitation Attempts on June 12

GreyNoise also observed low-volume exploitation attempts on June 12, 2025, associated with two previously disclosed MOVEit Transfer vulnerabilities: 

‍

CVE-2023-34362

‍

‍

‍

CVE-2023-36934

‍

‍

‍

These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed by GreyNoise. 

‍

Infrastructure Concentration Suggests Deliberate Scanning

A significant portion of scanner IPs are hosted by a small number of cloud providers: 

• Tencent Cloud (ASN 132203) accounts for 44% of all scanner IPs.
• Other contributors include Cloudflare, Amazon, and Google. 

This level of infrastructure concentration — particularly within a single ASN — suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing. 

‍

Defender Recommendations

Organizations should take the following steps: 

1. Dynamically block malicious and suspicious IPs using GreyNoise:

‍

‍

2. Audit public exposure of any MOVEit Transfer systems. 

3. Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.

4. Monitor real-time attacker activity against MOVEit Transfer by navigating to each respective GreyNoise tag:

• MOVEit Transfer Scanner
• CVE-2023-34362
• CVE-2023-36934

‍

We will continue to monitor the situation and provide updates as necessary. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍

‍On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. 

‍

Key Stats

• CVE: CVE-2023-28771
• Exploit method: UDP port 500 (IKE packet decoder) 
• Date observed: June 16, 2025
• Duration of activity: One day (June 16, 2025)
• Unique IPs: 244
• Top destination countries: U.S., U.K., Spain, Germany, India.
• IP classification: All malicious per GreyNoise
• Infrastructure: Verizon Business (all IPs geolocated to U.S.)
• Spoofable traffic: Yes (UDP-based)

‍

Observed Activity

Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.

The top destination countries were the U.S., U.K., Spain, Germany, and India.

Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.

‍

‍

IP Analysis 

All 244 IP addresses are registered to Verizon Business infrastructure and geolocated to the United States. However, because CVE-2023-28771 is exploited over UDP (port 500), spoofing is possible and these IPs may not reflect the true source of the traffic. 

Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants, as confirmed by VirusTotal. Example payload, and IP metadata below: 

‍

‍

‍

Recommendations

• Block malicious IPs: While spoofing is possible, GreyNoise has classified all 244 IPs as malicious. Defenders should immediately block these IPs while monitoring for related activity. 
• Review Zyxel device exposure: Verify that any internet-exposed Zyxel devices are patched for CVE-2023-28771. 
• Monitor for post-exploitation activity: Exploit attempts may lead to botnet enlistment or additional compromise. Monitor affected devices for anomalies. 
• Limit unnecessary IKE/UDP port 500 exposure: Apply network filtering where possible to reduce unnecessary exposure. 

‍

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale. 

‍

Summary of Observed Activity

‍

Tomcat Manager Brute Force Attempt

• 250 unique IPs observed 
• Baseline range: 1-15 IPs
• All classified as malicious 

‍

‍

‍

Tomcat Manager Login Attempt

• 298 unique IPs observed 
• Baseline range: 10-40 IPs
• 99.7% classified as malicious 

‍

‍

‍

Summary of Observed Activity

Roughly 400 unique IPs were involved in the activity observed across both tags during this period of elevated activity. Most of the activity originating from these IPs exhibited a narrow focus on Tomcat services. 

A significant portion of this activity originated from infrastructure hosted by DigitalOcean (ASN 14061). 

‍

Recommendations for Defenders

Immediately block the malicious IPs engaged in this activity.

‍

‍

While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning of future exploitation.  

Organizations with Tomcat Manager interfaces accessible over the internet should verify that strong authentication and access restrictions are in place. Reviewing recent login activity for anomalies is also advised. 

GreyNoise will continue monitoring for shifts in behavior or signs of follow-on exploitation. Subscribe to the GreyNoise Blog for updates. 

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

This activity was first discovered by GreyNoise on March 18, 2025. Public disclosure was deferred as we coordinated the findings with government and industry partners.   

‍GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet. 

The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks. While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary. 

‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices. The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features. 

‍The activity was uncovered by Sift — GreyNoise’s proprietary AI-powered network payload analysis tool — in combination with fully emulated ASUS router profiles running in the GreyNoise Global Observation Grid. These tools enabled us to detect subtle exploitation attempts buried in global traffic and reconstruct the full attack sequence. 

‍Read the full technical analysis. 

‍

Timeline of Events

March 17, 2025: GreyNoise’s proprietary AI technology, Sift, observes anomalous traffic.  

March 18, 2025: GreyNoise researchers become aware of Sift report and begin investigating.

March 23, 2025: Disclosure deferred as we coordinated the findings with government and industry partners.   

May 22, 2025: Sekoia announces compromise of ASUS routers as part of ‘ViciousTrap.’

May 28, 2025: GreyNoise publishes this blog. 

‍

Summary of Findings

• Thousands of ASUS routers are confirmed compromised, with the number steadily increasing. 
• Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. 
• Attackers exploit CVE-2023-39780, a command injection flaw, to execute system commands.
• They use legitimate ASUS features to: 
  
  • Enable SSH access on a custom port (TCP/53282).
  • Insert attacker-controlled public key for remote access.
• The backdoor is stored in non-volatile memory (NVRAM) and is therefore not removed during firmware upgrades or reboots. 
• No malware is installed, and router logging is disabled to evade detection. 
• The techniques used reflect long-term access planning and a high level of system knowledge. 

‍

How GreyNoise Found It

The campaign was surfaced by Sift, GreyNoise’s AI-powered analysis tool for detecting novel and anomalous network activity. Sift flagged just three HTTP POST requests — targeting ASUS router endpoints — for deeper inspection. 

These payloads were only observed on our fully emulated ASUS profiles running factory firmware. This infrastructure allowed GreyNoise to:

• Capture full PCAP of the requests and router behavior. 
• Reproduce the attack in a controlled environment.
• Confirm how the backdoor is installed and how it persists.  

Without emulated profiles and deep inspection, this attack would likely have remained invisible. The attacker disables logging and uses official router features, leaving few traces. 

‍

Confirmed Exploitation Chain

1. Initial Access

• Brute-force login attempts. 
• Two authentication bypass techniques (no CVEs assigned).

‍

2. Command Execution 

• Exploitation of CVE-2023-39780 to run arbitrary commands.

‍

3. Persistence 

• SSH access is enabled via official ASUS settings.
• Attacker inserts a custom public SSH key.
• Configuration is stored in NVRAM, not on disk.

‍

4. Stealth

• Logging is disabled before persistence is established. 
• No malware is left behind.

‍

Scope and Visibility 

• As of May 27, nearly 9,000 ASUS routers are confirmed compromised, based on scans from Censys — a platform that continuously maps and monitors internet-facing assets across the global internet. Censys reveals what’s exposed; GreyNoise shows which of those assets are being actively targeted. 
• The number of affected hosts is growing. 
• GreyNoise sensors saw just 30 related requests across three months, demonstrating how quietly this campaign is operating. 

‍

Indicators of Compromise

‍

IP addresses involved in this activity: 

101.99.91.151
101.99.94.173 
79.141.163.179   
111.90.146.237

‍

‍

Backdoor port: 

TCP/53282

‍

Attacker SSH public key (truncated):

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ... 

‍

Has ASUS Released a Patch?

• ASUS patched CVE-2023-39780 in a recent firmware update. 
• The initial login bypass techniques are patched but do not have assigned CVEs.
• The attacker’s SSH configuration changes are not removed by firmware upgrades. 

If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed. 

‍

Recommendations 

• Check ASUS routers for SSH access on TCP/53282. 
• Review the authorized_keys file for unauthorized entries.
• Block the four IPs listed above.
• If compromise is suspected, perform a full factory reset and reconfigure manually.

‍

Block IPs & Read the Full Analysis

For payload details, firmware analysis, and attack reconstruction: 

Read the full technical analysis.

‍

‍

‍

‍GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

Key Takeaways

• 251 malicious IPs, all hosted by Amazon and geolocated in Japan, launched a coordinated one-day scan on May 8.
• These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity. 
• All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation. 
• Overlap analysis confirms tight coordination, not random scanning. 
• Targeted technologies included ColdFusion, Apache Struts, Elasticsearch, WebLogic, Tomcat, and more. 
• All 251 IPs are classified as malicious by GreyNoise.
• This activity reflects patterns outlined in GreyNoise’s latest study, which tracks the reemergence of long-dormant threats. 
• Defenders should take action now: check May 8 logs, block the 251 IPs, dynamically block IPs targeting these 75 tags, and monitor for follow-up exploitation. 
• Similar scanning behavior preceded the discovery of two zero-days in Ivanti EPMM, reinforcing the need to treat coordinated scanning as an early warning signal. 

‍

A Brief, Coordinated Reconnaissance Operation 

On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. Over the span of a single day, these IPs triggered 75 distinct scanning behaviors, each tracked by a GreyNoise tag — ranging from exploitation attempts for known CVEs to probes for misconfigurations and weak points in web infrastructure. 

This operation was opportunistic — as is all scanning observed by GreyNoise — but the infrastructure and execution suggest centralized planning. Every IP was active only on May 8, with no noticeable activity immediately before or after, indicating temporary use of cloud infrastructure rented specifically for this operation.  

‍

Targeted Technologies 

Some of the behaviors observed included exploit attempts for: 

• Adobe ColdFusion — CVE-2018-15961 (RCE)
• Apache Struts — CVE-2017-5638 (OGNL Injection)
• Elasticsearch — CVE-2015-1427 (Groovy Sandbox Bypass RCE)
• Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
• Bash — CVE-2014-6271 (Shellshock)

These CVEs, while disclosed years ago, continue to attract interest from opportunistic attackers — a pattern explored in our latest research, which tracks the return of long-disclosed flaws to the threat landscape. 

‍

Scope of the Scan: 75 Exposure Behaviors

The 251 IPs collectively triggered 75 distinct scanning behaviors, including: 

• Old vulnerability exploits — ColdFusion, Struts, WebLogic, Drupal, Tomcat, Elasticsearch.  
• Recon and enumeration techniques — WordPress author checks, CGI script scanning, web.xml access attempts. 
• Misconfiguration probes — Git config crawlers, ENV variable exposures, shell upload checks. 

This wasn’t an operation focused on one exploit or tech stack. It reflected a broad-spectrum search for any exposed system — particularly older edge infrastructure that may be overlooked in patch cycles. 

The 2025 Verizon DBIR revealed the edge as a critical risk, reporting concerning trends across time-to-mass-exploit and remediation lags in edge technologies. 

‍

Infrastructure Overlap Suggests Central Control

GreyNoise analysis revealed the following: 

• 295 IPs scanned for ColdFusion (CVE-2018-15961).
• 265 IPs scanned for Apache Struts (CVE-2017-5638).
• 260 IPs scanned for Elasticsearch Groovy (CVE-2015-1427).
• 262 IPs overlapped between ColdFusion and Struts.
• 251 IPs overlapped across all three — and triggered 75 GreyNoise tags. 

This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning. 

‍

Block These Malicious IPs

GreyNoise has compiled the full list of all 251 malicious IPs observed in this operation. 

13.112.127.102,13.112.137.152,13.112.240.11,13.112.5.89,13.112.69.56,13.113.0.143,13.113.184.40,13.113.217.149,13.114.127.223,13.114.149.129,13.114.218.63,13.114.31.226,13.114.60.193,13.114.98.0,13.115.180.180,13.115.202.46,13.115.229.240,13.115.2.3,13.115.69.54,13.115.71.29,13.230.129.147,13.230.147.105,13.230.225.215,13.230.233.152,13.230.5.184,13.230.8.99,13.230.96.118,13.231.106.81,13.231.146.138,13.231.146.225,13.231.146.246,13.231.153.70,13.231.174.40,13.231.179.96,13.231.184.66,13.231.185.166,13.231.189.33,13.231.191.131,13.231.212.197,13.231.213.253,13.231.214.67,13.231.224.0,13.231.232.177,13.231.232.45,13.231.41.82,13.231.5.78,175.41.228.130,18.176.55.146,18.176.59.175,18.177.143.78,18.177.146.44,18.179.142.39,18.179.197.80,18.179.198.67,18.179.206.138,18.179.30.23,18.179.45.108,18.179.45.73,18.179.46.150,18.179.46.189,18.179.61.223,18.181.212.31,18.182.15.49,18.182.26.23,18.182.9.108,18.182.9.65,18.183.102.143,18.183.102.157,18.183.105.164,18.183.131.125,18.183.165.137,18.183.168.179,18.183.168.64,18.183.176.53,18.183.186.98,18.183.208.224,18.183.213.115,18.183.221.123,18.183.225.18,18.183.229.102,18.183.233.113,18.183.245.235,18.183.248.39,18.183.75.21,18.183.80.208,3.112.124.171,3.112.131.166,3.112.14.18,3.112.150.85,3.112.18.153,3.112.18.248,3.112.203.162,3.112.208.32,3.112.211.126,3.112.218.237,3.112.227.46,3.112.231.205,3.112.233.225,3.112.235.102,3.112.238.114,3.112.253.75,3.112.26.102,3.112.28.119,3.112.32.198,3.112.32.225,3.112.5.87,3.113.0.228,3.113.0.28,3.113.15.97,3.113.25.14,3.113.32.74,35.72.14.113,35.72.14.164,35.72.4.135,35.72.9.173,35.77.105.104,35.77.90.69,35.77.93.26,43.206.215.21,43.206.231.122,43.206.234.13,43.206.235.211,43.206.253.231,43.207.0.130,43.207.103.240,43.207.105.145,43.207.115.43,43.207.118.103,43.207.1.24,43.207.139.186,43.207.150.212,43.207.155.29,43.207.155.87,43.207.166.102,43.207.170.51,43.207.191.167,43.207.198.203,43.207.201.71,43.207.202.54,43.207.203.44,43.207.225.86,43.207.232.1,43.207.232.100,43.207.3.58,43.207.74.241,43.207.79.249,43.207.81.76,52.192.111.156,52.192.125.55,52.192.14.49,52.192.27.19,52.192.56.196,52.192.99.140,52.194.205.49,52.194.220.244,52.194.248.125,52.194.250.54,52.194.254.213,52.195.11.174,52.195.12.82,52.195.171.70,52.195.177.128,52.195.181.143,52.195.183.23,52.195.189.155,52.195.189.78,52.195.194.167,52.195.207.5,52.195.208.52,52.195.209.222,52.195.211.238,52.195.218.94,52.195.221.157,52.195.3.244,52.195.8.164,52.197.210.229,52.199.10.181,52.199.149.12,52.199.199.160,52.199.253.240,52.199.8.84,52.68.188.9,52.68.94.94,52.69.157.91,52.69.46.191,54.150.219.131,54.168.241.135,54.168.247.234,54.168.71.21,54.178.0.190,54.178.114.236,54.178.4.74,54.178.5.144,54.199.101.111,54.199.161.31,54.199.176.59,54.199.40.192,54.199.77.18,54.199.94.62,54.238.101.236,54.238.147.176,54.238.179.56,54.238.189.57,54.238.237.183,54.238.237.9,54.238.4.12,54.238.80.76,54.248.152.214,54.248.156.216,54.248.201.195,54.248.36.134,54.249.121.50,54.249.133.28,54.249.155.117,54.249.219.65,54.249.26.220,54.250.153.158,54.250.161.184,54.250.16.51,54.250.188.209,54.250.237.20,54.250.241.63,54.250.244.142,54.250.244.229,54.250.33.160,54.250.33.94,54.65.130.227,54.65.45.54,54.95.18.182,54.95.193.225,54.95.23.202,54.95.23.87,54.95.36.237,57.180.10.227,57.180.18.215,57.180.242.12,57.180.246.9,57.180.248.217,57.180.27.121,57.180.35.101,57.180.38.232,57.180.40.26,57.180.41.47,57.180.42.39,57.180.47.171,57.180.47.190,57.180.48.122,57.180.56.170,57.180.9.137,57.181.30.246,57.181.37.146

Defenders should block these IPs immediately. While follow-up exploitation may come from different infrastructure, GreyNoise classified all 251 IPs as malicious in real time. Dynamic IP blocking using GreyNoise allows defenses to respond instantly to new scanning infrastructure as it appears, removing guesswork and reducing exposure windows. 

‍

Dynamically Block IPs Targeting These 75 Tags

Identify which of the 75 GreyNoise tags apply to your environment and dynamically block IPs engaging in that activity. 

Edge & Middleware RCEs

‍

CMS & Web App Exploits

‍

IoT & Hardware Targets

‍

Reconnaissance & Crawlers

‍

File Uploads & Web Shells

‍

SQLi & Path Traversal

‍

Legacy & Resurgent CVEs

‍

Authentication & Config Scans

‍

Miscellaneous or Unclassified

‍

GreyNoise will continue to monitor this situation and provide updates as necessary. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

The bottom line: Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after GreyNoise reported a surge in scanning activity against other Ivanti technologies last month. Immediate patching is required.

‍

‍

Why It Matters

When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM) systems. In April, GreyNoise warned about a 9X surge in scanning against Ivanti products — that reconnaissance has now transitioned to exploitation.

‍

The Vulnerabilities

• CVE-2025-4427 (CVSS: 5.3): Authentication bypass via improper validation sequence
• CVE-2025-4428 (CVSS: 7.2): Remote code execution through Expression Language injection

How they work: The flaws target the /api/v2/featureusage and /api/v2/featureusage_history endpoints. Input validation occurs before authentication checks, allowing attackers to inject malicious code without credentials.

‍

What We're Seeing

• We initialy observed a small number of attempts to exploit CVE-2025-4427 from one IP address — 212.102.51.249 — on 2025-05-16 (~02:30 GMT), but only attacking our Ivanti sensors, so the attacks are unlikely to be random/opportunistic in nature
• The IP count has since risen to three — all non-spoofable and malicious, originating from Indonesia, United States, and India.
• Pattern follows predicted reconnaissance → exploitation lifecycle
• Activity tracked via our CVE-2025-4427 🏷️ 

‍

Who Discovered It

Credit to Project Discovery and WatchTowr for their excellent technical analysis:

• Project Discovery revealed validation precedes authorization in Spring MVC's workflow.
• WatchTowr provided detailed proof-of-concept exploits showing the order-of-operations issue.

Affected Versions & Patches

Vulnerable:

• 11.12.0.4 and earlier
• 12.3.0.1, 12.4.0.1, 12.5.0.0

‍

Patched:

• 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

‍

Take Action Now

1. Patch immediately to fixed versions.
2. Review logs for suspicious API activity.
3. Block malicious IPs using GreyNoise Intelligence tag-focused block lists.
4. Implement WAF rules if patching is delayed.
5. Hunt for IOCs focusing on unusual API access patterns.

‍

The Big Picture

This case demonstrates why monitoring scanning trends provides early warning of attacks. The exploitation activity is currently limited, but will likely accelerate as more threat actors incorporate these vulnerabilities into their toolkits.

Organizations with Portal ACLs or WAF restrictions have reduced exposure, but patching remains the only complete solution.

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Key Insight: Why This Matters

The 2025 DBIR highlights a critical area of importance for vulnerability management teams: edge vulnerabilities. 

Exploitation of edge vulnerabilities in breaches has surged eightfold. Yet, nearly one in three edge KEVs remain fully unpatched — despite being widely recognized as critical risks.

This isn’t a matter of awareness (they’re on CISA’s KEV). It’s about action and prioritization. Real-time intelligence is a must in this situation, giving insight into what attackers are targeting now — ensuring the most pressing threats are identified and resolved quickly. 

This year’s DBIR findings necessitate swift action on the part of defenders, particularly as it relates to edge exploitation. 

‍

Executive Summary 

New findings from the 2025 Verizon Data Breach Investigations Report (DBIR) reveal a critical shift in how attackers breach organizations — and how defenders are simultaneously making strides and falling short:  

‍

Speed and Awareness:

• Exploitation of edge KEVs begins immediately — the median time from disclosure to mass exploitation for edge KEVs is zero days, compared to five days for all KEVs. 
• Defenders are prioritizing edge vulnerabilities more than others:
  
  • 54% of edge KEVs were remediated, compared to 38% of all KEVs.
  • Median time to remediate edge KEVs was 32 days, faster than the 38-day median for all KEVs. 
• ‍This presents a concerning duality — on one hand, time-to-exploit for edge vulnerabilities is zero days; meanwhile, it takes defenders an average of 32 days to remediate these flaws. This significant window of exposure represents a critical risk for most organizations on their edge.

‍

Scale: 

• Vulnerability exploitation is second only to credential theft as a means of breaching organizations.  
• Edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation — an eightfold increase from 3% last year. 

‍

Action Gap: 

• Despite this prioritization, nearly one in three edge KEVs remain fully unremediated — the highest rate of full non-remediation among CVEs and KEVs tracked in the DBIR. 

‍

GreyNoise research reveals a deeper complication: Old edge vulnerabilities are resurging, magnifying the risks defenders face. 

‍

Vulnerability Exploitation Is a Growing Breach Method — and Edge Vulnerabilities Are Central

Vulnerability exploitation is rising as a breach method — and edge vulnerabilities, in particular, are being exploited far more often to break into organizations. 

The Verizon DBIR shows: 

• One in five breaches involved vulnerability exploitation, a 34% rise from last year — second only to credential theft. 
• Among those breaches, exploitation of edge vulnerabilities surged eightfold. 

Despite heightened attention, edge KEVs remain the most likely vulnerabilities to be left unpatched — even though they are already recognized as critical risks. 

This points to a widening gap between risk awareness and defensive action. 

‍

GreyNoise Research Reveals the Growing Risk of Vulnerability Resurgence

The DBIR highlights how quickly attackers exploit vulnerabilities — especially those in edge technologies. 

GreyNoise research reveals a deeper problem: attackers also return to older edge vulnerabilities defenders may have deprioritized. 

• Edge vulnerabilities are already slipping through defenders’ patching efforts. 
• GreyNoise observes attackers opportunistically reviving overlooked vulnerabilities — creating unexpected exposure long after the initial disclosure fades from focus. 

Our research uncovered that resurgent vulnerabilities follow three main attack patterns, visualized as follows (read the full report here): 

‍

Static patching models, focused on CISA KEV, CVSS, and EPSS alone, can miss these shifts. 

Dynamic, exploitation-driven intelligence can reveal when old vulnerabilities become active risks again — cutting through the complex attack patterns above by relying on near real-time alerts of heightened activity. 

‍

Resurgence Disproportionately Affects the Edge 

Our analysis revealed that half of the top exploited resurgent vulnerabilities affect edge assets — with 70% of Black Swans, the most unpredictable class of resurgent flaws, affecting the edge. 

‍

The DBIR and GreyNoise research indicate that edge assets are becoming one of the most attractive targets for attackers. 

‍

What Defenders Must Do

Today’s edge threat environment demands a new approach: 

• Prioritize vulnerabilities based on observed, active exploitation, not just severity ratings. 
• Continuously monitor for resurgence — because old threats can quietly reemerge.
• Adopt dynamic, real-time intelligence models that evolve with attacker behavior. 
• Dynamically block threats with real-time intelligence. Attackers are pivoting infrastructure, utilizing trusted IPs to engage in reconnaissance and launch attacks at scale — limiting the effectiveness of static defenses. 

‍

Read the full report: A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

‍GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Majority of IPs are Malicious — Potential Regional Targeting

GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations. 

Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.  

‍

Top Source Countries:

• Singapore (4,933 unique IPs)
• U.S. (3,807 unique IPs)
• Germany (473 unique IPs)
• U.K. (395 unique IPs)
• Netherlands (321 unique IPs)

‍

Top Destination Countries: 

• Singapore (8,265 unique IPs)
• U.S. (5,143 unique IPs)
• Germany (4,138 unique IPs)
• U.K. (3,417 unique IPs)
• India (3,373 unique IPs)

The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.

‍

Four Spikes Since September — April the Largest Yet

Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date. 

‍

‍

The late February spike tells somewhat of a different story in terms of source and destination session traffic:

‍

Top Source Countries:

• Netherlands 
• U.S. 
• Germany

‍

Top Destination Countries:

• U.S.
• U.K. 
• Spain

‍

Why It Matters

Git configuration files can reveal: 

• Remote repository URLs (GitHub, GitLab)
• Branch structures and naming conventions 
• Metadata that provides insight into internal development processes

In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic. 

In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories. 

‍

Recommendations

To prevent this type of exposure: 

• Ensure .git/ directories are not accessible via public web servers
• Block access to hidden files and folders in web server configurations
• Monitor logs for repeated requests to .git/config and similar paths
• Rotate any credentials exposed in version control history

‍

Related CVE:

CVE-2021-23263

‍

GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 20, 2025 Update:

Our April 23 report highlighted a sharp surge in scanning activity targeting Ivanti Connect Secure and Pulse Secure products. Just weeks later, two zero-day vulnerabilities were disclosed in Ivanti EPMM — a separate but related technology. Click the yellow button below to view attacker IPs targeting these zero-days in real time.

‍

‍

While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities. It’s a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation. 

For defenders, this reinforces the value of watching real-time reconnaissance trends. Watching scanning patterns offers a rare opportunity to anticipate zero-days before they surface and proactively harden exposed systems.

‍

‍

On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. 

More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. 

‍

‍

What We’re Seeing

GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.

‍

‍

Observed Spike: 234 Unique IPs on April 18, 2025

Observed Activity in Past 90 Days: 1,004 Unique IPs 

Spoofable IPs: 0% (All IPs are not spoofable)

IP Classifications: 

• 634 Suspicious
• 244 Malicious
• 126 Benign

‍

Top 3 Source Countries:

• U.S. 
• Germany 
• Netherlands

‍

Top 3 Destination Countries:

• U.S. 
• Germany 
• U.K.

‍

Infrastructure Insights

A closer look at the source infrastructure reveals a notable split in behavior:

• Malicious IPs (those observed in other known malicious activity) are primarily using: 
  
  • Tor exit nodes
  • Common cloud and VPS providers with familiar names. 
• Suspicious IPs are linked to:
  
  • Lesser-known or niche hosting providers. 
  • Less mainstream cloud infrastructure. 

‍

Why This Matters

Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities. 

‍

Recommended Defensive Actions

Security teams should: 

• Review logs for suspicious probes of ICS/IPS.
• Monitor login activity from new or suspicious IPs. 
• Block known malicious or suspicious IPs using GreyNoise. 
• Patch all ICS/IPS systems with the latest updates. 

‍

GreyNoise will continue tracking this activity and will publish updates as necessary. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. 

These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence. 

GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead. 

‍

‍

Key Takeaways:  

• Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable. 
• Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence. 
• Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs. 
• Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities. 
• Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws. 

‍

Inside the report: 

• A new framework for understanding how vulnerabilities resurface.
• Behavioral patterns of resurgence — and what they mean for defenders. 
• Visuals and examples of resurgent CVEs exploited at scale. 
• Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.

‍

Download the full report and prepare before the next wave hits. 

‍

‍

— — —

‍

^{Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems. 

GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment, including a GreyNoise update reporting Mirai targeting in early March. 

Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.” 

Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany. 

‍

GreyNoise Observations 

On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days. 

GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable. 

‍

‍

Attackers could potentially use this flaw to gain full control of the DVR. 

‍

Source and Destination Countries

The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.  

‍

Top Source Countries

• Taiwan (3,637 IPs)
• Japan (809 IPs)
• South Korea (542 IPs). 

‍

Top Destination Countries

• United States (6,471 IPs)
• United Kingdom (5,738 IPs)
• Germany (5,713 IPs). 

‍

Mitigations 

Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include: 

• Use GreyNoise to block known malicious IP addresses attempting to exploit this vulnerability. 
• Apply all available patches.
• Restrict public internet access to DVR interfaces. 
• Monitor network traffic for signs of unusual scanning or exploitation attempts. 

Monitor attacker activity targeting this flaw and block malicious IPs. 

‍

Stay updated by visiting the GreyNoise tag for this activity. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

April 7, 2025 Update

After GreyNoise’s reporting of heightened activity targeting key technologies on March 28, we now observe on April 7 a significant rise in exploitation attempts against Linksys E-Series routers. 

GreyNoise assesses the activity is linked to Mirai. 

The associated GreyNoise tag is:

• Linksys E-Series TheMoon Remote Command Injection Attempt

‍

‍

These updates come at a time when routers and other edge technologies are reportedly attracting significant interest from advanced, well-resourced attackers.

‍

On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. 

This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks. 

‍

Observed Activity 

GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

Ivanti

‍

SonicWall

‍

Zoho

‍

Zyxel

‍

F5

‍

Linksys 

‍

Recommended Actions

1. Patch Management: Ensure that all systems are up to date with the latest security patches to mitigate known vulnerabilities. 
2. Network Monitoring: Closely monitor traffic — retroactively analyzing March 28 logs — for unusual patterns or activity targeting these systems. 
3. Threat Intelligence & Dynamic Blocking: Use GreyNoise to view real-time activity targeting these systems, and to block malicious IPs. 

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 2, 2025 Update:  

GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals — dropping by more than 99 percent within 48 hours of our March 31 report. 

Opportunistic scanning activity fell from a peak of 20,000 unique IPs per day to just over 100 per day, and remained low through April until now.

3xK Tech GmbH IP Infrastructure Abused

The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH — accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days. Of the physical subnets in which these IPs exist, 80 to 90 percent were involved in this activity. 

Similar to recent GreyNoise reporting on Git Config scanning, where actors abused Cloudflare infrastructure, actors are now relying heavily on infrastructure provided by 3xK Tech GmbH.

Threat actors are increasingly rotating between infrastructure providers, making provider-based blocking both ineffective and unsustainable. Dynamic IP blocking is essential to defend against these threats and future ones alike.

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. 

Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future: 

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.” 

‍

Key Observations 

• The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. 
• Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs). 

The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals. 

‍

‍

A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.

Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool: 

• po11nn11enus_967778c7bec7_000000000000_000000000000
• po11nn09enus_fb8b2e7e6287_000000000000_000000000000
• po11nn060000_c4f66731b00d_000000000000_000000000000

These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.

Source and Destination Analysis 

• Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.  
• Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. 

These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.

‍

Concurrent Crawler Activity Detected

The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs. 

‍

‍

Reminiscent of 2024 Espionage Campaign

This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access. 

‍

Recommendations

Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.

View Attacker Activity & Block Malicious IPs

GreyNoise will continue to monitor the situation and provide updates if material developments arise. 

Navigate now to the GreyNoise Visualizer to:

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.

Observed In-The-Wild Activity 

GreyNoise has observed in-the-wild activity against the following CVEs:

• CVE-2020-8515 — a remote code execution vulnerability in multiple DrayTek router models. 
• CVE-2021-20123 — a directory traversal vulnerability in DrayTek VigorConnect. 
• CVE-2021-20124 — a second directory traversal vulnerability in DrayTek VigorConnect. 

Below is a breakdown of recent in-the-wild activity observed by the GreyNoise Global Observation Grid (GOG).

Across all CVEs, GreyNoise has observed the following activity in the past 45 days:

‍

By CVE, we’ve seen the following: 

‍

CVE-2020-8515: Remote Code Execution 

• No activity in the past 24 hours. 
• 82 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Indonesia, Hong Kong, United States. 

‍

‍

CVE-2021-20123: Directory Traversal

• Activity in the past 24 hours. 
• 23 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore. 

‍

‍

CVE-2021-20124: Directory Traversal

• Activity in the past 24 hours. 
• 22 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore.

‍

‍

GreyNoise will continue to monitor in-the-wild activity related to DrayTek devices. Explore the GreyNoise Visualizer for the latest activity. 

‍

Read the SecurityWeek report detailing the reboots. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍