Actionable intelligence on real-world threats as they unfold. Get insights into attacker behavior, infrastructure, exploitation of zero-days and n-days, temporal pattern, and geographic hotspots — all sourced from GreyNoise’s Global Observation Grid (GOG). Stay ahead of emerging threats, block malicious IPs, and understand what’s happening in the moment.
Subscribe to GreyNoise
Get the latest blog articles delivered right to your inbox.
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4.
We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer.
Key Observations
First observed activity: June 23, 2025
PoC released: July 4, 2025
GreyNoise tag published: July 7, 2025
CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition)
Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting.
CISA Confirmation
On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog.
Recommended Actions
Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts.
The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
Majority of IPs are Malicious — Potential Regional Targeting
GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations.
Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.
Top Source Countries:
Singapore (4,933 unique IPs)
U.S. (3,807 unique IPs)
Germany (473 unique IPs)
U.K. (395 unique IPs)
Netherlands (321 unique IPs)
Top Destination Countries:
Singapore (8,265 unique IPs)
U.S. (5,143 unique IPs)
Germany (4,138 unique IPs)
U.K. (3,417 unique IPs)
India (3,373 unique IPs)
The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.
Four Spikes Since September — April the Largest Yet
Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date.
The late February spike tells somewhat of a different story in terms of source and destination session traffic:
Top Source Countries:
Netherlands
U.S.
Germany
Top Destination Countries:
U.S.
U.K.
Spain
Why It Matters
Git configuration files can reveal:
Remote repository URLs (GitHub, GitLab)
Branch structures and naming conventions
Metadata that provides insight into internal development processes
In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic.
In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories.
Recommendations
To prevent this type of exposure:
Ensure .git/ directories are not accessible via public web servers
Block access to hidden files and folders in web server configurations
Monitor logs for repeated requests to .git/config and similar paths
Rotate any credentials exposed in version control history
GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Our April 23 report highlighted a sharp surge in scanning activity targeting Ivanti Connect Secure and Pulse Secure products. Just weeks later, two zero-day vulnerabilities were disclosed in Ivanti EPMM — a separate but related technology. Click the yellow button below to view attacker IPs targeting these zero-days in real time.
While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities. It’s a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation.
For defenders, this reinforces the value of watching real-time reconnaissance trends. Watching scanning patterns offers a rare opportunity to anticipate zero-days before they surface and proactively harden exposed systems.
End of Update
-----
On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems.
More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation.
GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.
Observed Spike: 234 Unique IPs on April 18, 2025
Observed Activity in Past 90 Days: 1,004 Unique IPs
Spoofable IPs: 0% (All IPs are not spoofable)
IP Classifications:
634 Suspicious
244 Malicious
126 Benign
Top 3 Source Countries:
U.S.
Germany
Netherlands
Top 3 Destination Countries:
U.S.
Germany
U.K.
Infrastructure Insights
A closer look at the source infrastructure reveals a notable split in behavior:
Malicious IPs (those observed in other known malicious activity) are primarily using:
Tor exit nodes
Common cloud and VPS providers with familiar names.
Suspicious IPs are linked to:
Lesser-known or niche hosting providers.
Less mainstream cloud infrastructure.
Why This Matters
Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access.
While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities.
Recommended Defensive Actions
Security teams should:
Review logs for suspicious probes of ICS/IPS.
Monitor login activity from new or suspicious IPs.
Patch all ICS/IPS systems with the latest updates.
GreyNoise will continue tracking this activity and will publish updates as necessary.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems.
GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment,including a GreyNoise update reporting Mirai targeting in early March.
Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.”
Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany.
GreyNoise Observations
On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days.
GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable.
Attackers could potentially use this flaw to gain full control of the DVR.
Source and Destination Countries
The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.
Top Source Countries
Taiwan (3,637 IPs)
Japan (809 IPs)
South Korea (542 IPs).
Top Destination Countries
United States (6,471 IPs)
United Kingdom (5,738 IPs)
Germany (5,713 IPs).
Mitigations
Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include:
Stay updated by visiting the GreyNoise tag for this activity.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
After GreyNoise’s reporting of heightened activity targeting key technologies on March 28, we now observe on April 7 a significant rise in exploitation attempts against Linksys E-Series routers.
GreyNoise assesses the activity is linked to Mirai.
These updates come at a time when routers and other edge technologies are reportedly attracting significant interest from advanced, well-resourced attackers.
End of Update
-----
On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools.
This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks.
Observed Activity
GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals — dropping by more than 99 percent within 48 hours of our March 31 report.
Opportunistic scanning activity fell from a peak of 20,000 unique IPs per day to just over 100 per day, and remained low through April until now.
3xK Tech GmbH IP Infrastructure Abused
The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH — accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days. Of the physical subnets in which these IPs exist, 80 to 90 percent were involved in this activity.
Similar to recent GreyNoise reporting on Git Config scanning, where actors abused Cloudflare infrastructure, actors are now relying heavily on infrastructure provided by 3xK Tech GmbH.
Threat actors are increasingly rotating between infrastructure providers, making provider-based blocking both ineffective and unsustainable. Dynamic IP blocking is essential to defend against these threats and future ones alike.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
End of Update
-----
GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.
Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future:
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
Key Observations
The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off.
Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs).
The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals.
A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool:
These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.
Source and Destination Analysis
Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.
Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore.
These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.
Concurrent Crawler Activity Detected
The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs.
This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access.
Recommendations
Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.
View Attacker Activity & Block Malicious IPs
GreyNoise will continue to monitor the situation and provide updates if material developments arise.
Use GreyNoise Block to block malicious IPs. Get started with a free 14-day trial.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.
Observed In-The-Wild Activity
GreyNoise has observed in-the-wild activity against the following CVEs:
CVE-2020-8515 — a remote code execution vulnerability in multiple DrayTek router models.
CVE-2021-20123 — a directory traversal vulnerability in DrayTek VigorConnect.
CVE-2021-20124 — a second directory traversal vulnerability in DrayTek VigorConnect.
Below is a breakdown of recent in-the-wild activity observed by the GreyNoise Global Observation Grid (GOG).
Across all CVEs, GreyNoise has observed the following activity in the past 45 days:
By CVE, we’ve seen the following:
CVE-2020-8515: Remote Code Execution
No activity in the past 24 hours.
82 IPs observed in the past 30 days.
Top destination countries by sessions in the past week: Indonesia, Hong Kong, United States.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813, a newly disclosed vulnerability that, if successfully exploited, could enable remote code execution (RCE). GreyNoise has identified multiple IPs engaging in this activity across multiple regions.
Fortunately, GreyNoise can confirm exploit traffic is currently limited to naive attackers utilizing PoC code.
We created a new CVE-2025-24813 tag to help defenders track this activity.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
Active Exploitation Detected
GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025. Attackers are leveraging a partial PUT method to inject malicious payloads, potentially leading to arbitrary code execution on vulnerable systems.
Exploitation is already underway, with attack attempts spanning multiple countries. Given Apache Tomcat’s widespread deployment, these early signs of activity suggest more exploitation is likely to follow.
Geographic Distribution
Targeted Regions
The majority of exploit attempts targeted systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions directed at U.S.-based systems.
Attack Origin
GreyNoise observed exploitation attempts as early as March 11, though this activity is not reflected in the GreyNoise Visualizer.
Within the visualizer, we first observed exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China. Notably, the Latvia-based IP showed no further activity after March 18, and the two IPs traced to Latvia and Italy are linked to a known VPN service.
Today, GreyNoise observed another exploit attempt from the U.S.-based IP. Both IPs from China and the United States are not spoofable.
Mitigations & Recommendations
To protect against CVE-2025-24813, organizations running affected versions of Apache Tomcat should:
Apply the latest security patches immediately.
Monitor for unexpected PUT requests in web server logs.
Deploy WAF rules to block malicious payloads.
Use GreyNoise to track real-time exploitation activity and block malicious IPs.
Organizations should immediately assess their Apache Tomcat deployments and apply patches to mitigate potential RCE risks.
GreyNoise is actively tracking this activity in real time — defenders can access our latest intelligence to block malicious IPs.
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities:
CVE-2024-4879 (Critical)
CVE-2024-5217 (Critical)
CVE-2024-5178 (Medium)
All three vulnerabilities have seen attacker interest in the past 24 hours.
Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours.
These vulnerabilities reportedly may be chained together for full database access.
Notable Increase in Attacker Interest
GreyNoise has recorded the highest number of unique IPs targeting these vulnerabilities in the past month. The number of threat IPs observed in the past 24 hours — with unique IPs in the past 30 days — is as follows:
Organizations using ServiceNow should take the following steps immediately:
Apply Security Patches: Ensure all affected ServiceNow instances are updated with the latest security fixes.
Restrict Access: Limit exposure of management interfaces to prevent unauthorized access.
Monitor Trends: Use GreyNoise to track activity related to these vulnerabilities.
GreyNoise will continue monitoring this evolving situation and provide real-time intelligence on observed activity. Leverage the GreyNoise Visualizer to stay updated with the latest.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Update (March 12, 2025): New Evidence Suggests Attackers Are Mapping Infrastructure Before Exploitation
GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge on March 9, indicating attackers may be using Grafana as a foothold for deeper exploitation. While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks.
Grafana path traversal vulnerabilities have in the past been used to access configuration files and internal network details. The timing of this activity, followed closely by SSRF exploitation, suggests attackers may be using reconnaissance techniques to identify high-value targets before launching further attacks. While the direct relationship between these events remains unconfirmed, the pattern aligns with potentially more coordinated activity than initially reported.
What This Means for Defenders
If attackers are systematically mapping infrastructure before exploitation, defenders should identify and disrupt this early-stage activity.
Monitoring for reconnaissance behaviors, such as path traversal attempts, may provide early warning signs before full-scale exploitation occurs.
Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation.
GreyNoise will continue tracking this activity and providing updates if new patterns emerge.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
End of Update
-----
GreyNoise Detects Unusual SSRF Exploitation Trends Across Multiple CVEs
Key Takeaways
On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms.
At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts.
The top countries receiving SSRF exploitation attempts during the surge were the United States, Germany, Singapore, India, and Japan.
Israel saw SSRF exploitation activity as early as January, with renewed activity observed in this latest surge.
Historical parallels: SSRF vulnerabilities played a key role in the Capital One breach (2019), which exposed 100M+ records.
SSRF is a Major Target for Attackers For Good Reason
Among other things, attackers leverage SSRF for:
Cloud Exploitation: Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited.
Pivoting and Reconnaissance: SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials.
Recent SSRF Exploitation Trends
GreyNoise is flagging a sharp increase in SSRF exploitation occurring on March 9 across multiple Server-Side Request Forgery (SSRF) vulnerabilities:
~ 400 unique IPs have been observed actively exploiting 10 SSRF-related CVEs.
Many of the same IPs are targeting multiple SSRF vulnerabilities at once, rather than focusing on a single known vulnerability.
Unlike routine botnet noise, this pattern suggests structured exploitation, automation, or pre-compromise intelligence gathering.
Data from March 9, 2025
Which CVEs Are Being Exploited?
GreyNoise has identified active exploitation attempts against the following flaws. Click on the links to see real-time exploitation activity and block malicious IPs.
Historical SSRF Exploitation by Destination Country
GreyNoise has identified the following ten countries as having the greatest exploitation activity in the past 6 months across all reported SSRF flaws:
Additional countries seeing early SSRF exploitation, with spikes dating back to December 2024, are: Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia.
SSRF Exploitation in Past 24 Hours Limited to Israel and The Netherlands
Only two countries have been targeted in the past 24 hours:
Recommendations for Defenders
Organizations should take immediate steps to ensure they are not exposed:
Patch and Harden Affected Systems
Review patches for the targeted CVEs and apply mitigations where available.
Restrict Outbound Access Where Possible
Limit outbound connections from internal apps to only necessary endpoints.
Monitor for Suspicious Outbound Requests
Set up alerts for unexpected outbound requests.
Block Malicious IPs using GreyNoise Blockand stay up to date on activity using the GreyNoise Visualizer links below
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
Attack Overview
According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:
Initial Access: Exploitation via PHP-CGI vulnerability using HTTP POST requests with MD5 hash e10adc3949ba59abbe56e057f20f883e as a success marker.
C2 Infrastructure: Servers 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba Cloud, with HTTP User-Agent strings mimicking legacy Internet Explorer versions.
GreyNoise Observations
GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone. While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:
Target Country
Observation Period
Key Detail
Japan
January 2025
Primary focus of Talos report
Singapore/Indonesia
January 2025
Secondary surge in attack volume
UK/Spain/India
Late January 2025
Anomalous spikes in exploitation
More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China.
In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.
Guidance for Defenders
Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns.
GreyNoise has detected active exploitation by more than 90 unique threat IPs in the past 24 hours across CVEs linked to the Chinese cyber espionage group, Silk Typhoon (HAFNIUM).
GreyNoise is not attributing this activity to Silk Typhoon. Rather, we have identified active exploitation of CVEs that have been linked to Silk Typhoon’s operations in prior campaigns.
CVE-2021-26855, CVE-2021-44228 (Log4Shell), and CVE-2024-3400 are being actively targeted by threat actors.
GreyNoise’s observations come just one day after Microsoft reported Silk Typhoon’s shift to IT supply chain targeting.
On Wednesday, U.S. authorities reportedly charged alleged Silk Typhoon operatives in a hacker-for-hire scheme, paying up to $75,000 per compromised inbox.
The findings come as U.S. policymakers escalate scrutiny of Chinese cyber threats, with the House Select Committee on the Chinese Communist Party (CCP) holding a hearing on March 5, the same day Microsoft released its report, on the growing risks posed by Chinese state-sponsored hacking.
GreyNoise Confirms Exploitation in the Wild
GreyNoise analyzed CVEs linked to Silk Typhoon and found three actively exploited in the past 24 hours:
CVE-2021-26855 – An Exchange ProxyLogon SSRF vulnerability.
CVE-2021-44228 – The Log4Shell vulnerability, a critical Apache Log4j RCE.
CVE-2024-3400 – A PAN-OS GlobalProtect RCE.
GreyNoise Observations: Active Exploitation in the Past 24 Hours
GreyNoise’s Global Observation Grid (GOG) confirms exploitation of these CVEs in the past 24 hours. The heatmap below shows activity over the past 45 days, and the following data reflects the last 30 days.
Apply Patches Promptly – Ensure that all affected systems are updated to remediate CVE-2021-26855, CVE-2021-44288, and CVE-2024-3400.
Monitor GreyNoise Intelligence – Use GreyNoise tags and filtering to detect and block IPs engaged in malicious activity related to these CVEs.
Reduce Exposure –
Disable unnecessary internet-facing services.
Implement strong authentication (such as MFA) on all accessible systems.
Segment networks to restrict lateral movement in case of compromise.
GreyNoise will continue to monitor the threat landscape and provide insights on evolving attacker tactics. Explore the GreyNoise Visualizer.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
––– ––– –––
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
On March 3, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming their exploitation in the wild.
GreyNoise provided visibility into these vulnerabilities before their addition to KEV, giving defenders an early advantage.
Patch immediately – Apply vendor patches as soon as possible. If patching isn’t feasible, implement available mitigations.
Monitor for exploitation – Review logs for signs of scanning, reconnaissance, or unauthorized access related to these CVEs.
Block known malicious IPs – GreyNoise tracks attacker IPs involved in exploitation. Organizations should use this intelligence to proactively block threats.
Reduce attack surface – Restrict internet exposure for vulnerable services and enforce strict access controls.
GreyNoise Continues to Track These Threats
GreyNoise tagged these vulnerabilities before KEV inclusion, reinforcing the importance of real-time attack intelligence.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
Update (5 March 2025): Key Clarifications on Eleven11bot
Further analysis has refined the understanding of the scale and nature of Eleven11bot. Key clarifications:
Likely a Mirai Variant
Eleven11bot is likely not a distinct botnet, but rather a Mirai variant using a single new exploit targeting HiSilicon-based devices, particularly those running TVT-NVMS9000 software.
Overestimated Infection Numbers
While reports estimated 86,400 infections globally, the actual number of compromised devices is likely fewer than 5,000.
Misidentified Tracking Signature
The "head[...]1111" signature, initially associated with Eleven11bot, is not malware-related but rather part of the HiSilicon SDK protocol used for remote management across white-labeled devices.
The reported 86K+ infections appear to be based on a misidentification of normal HiSilicon device protocol traffic as botnet activity.
How GreyNoise Identified This Activity
GreyNoise analyzed a list of 1,400 IPs provided by Censys, identifying 1,042 of them engaging in scanning and exploitation attempts. These were primarily embedded systems that typically do not initiate outbound internet communication, reinforcing their likely compromise.
While initial infection estimates were high, the activity observed in GreyNoise suggests that a subset of these devices are actively participating in Mirai-related behavior. Because these IPs are unlikely to change dynamically (e.g., through DHCP), they may continue to be involved in future Mirai botnet activity.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
--------
A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs).
According to DeepField, Eleven11bot has been used in distributed denial of service (DDoS) attacks against telecom providers and gaming platforms, with some attacks lasting multiple days and causing widespread disruptions. Jérôme Meyer, a security researcher tracking the botnet, described it as “one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”
GreyNoise Observations on Eleven11bot
Following Deepfield’s findings, Censys provided GreyNoise with a list of 1,400 IPs that appear to be linked to Eleven11bot due to the configuration of the endpoint devices and the banners matching what Deepfield identified in their research. GreyNoise has observed 1,042 IPs actively hitting our sensors in the past 30 days.
Key findings from our data:
96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices.
61% of the 1,042 observed IPs (636) are traced to Iran.
305 IPs are currently classified as malicious by GreyNoise.
While GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the U.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions.
How the Botnet is Expanding
GreyNoise data indicates that the botnet is involved in malicious activities. Observations from GreyNoise show that the botnet is engaging in actions presumably aimed at expanding its operations, including:
Brute-force attacks against login systems.
Exploitation of weak and default passwords on IoT devices.
Targeting specific security camera brands, such as VStarcam, using hardcoded credentials.
Network scanning for exposed Telnet and SSH ports is often left unprotected on IoT hardware.
GreyNoise has identified 305 IP addresses actively carrying out malicious attacks linked to the botnet.
How to See the Botnet in Action
SOC teams, vulnerability management professionals, and threat hunters can track the botnet’s live activity using GreyNoise:
Monitor network logs for unusual login attempts. Attackers are brute-forcing weak Telnet and SSH credentials.
Secure IoT devices immediately. Change default passwords, update firmware, and disable remote access where unnecessary.
Enable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so organizations should harden their network defenses.
GreyNoise is Actively Monitoring Eleven11bot-Linked Activity
GreyNoise continues to track real-time scanning and attack activity from the botnet. We will provide further updates if new information arises.
Track the botnet in real time — see if your network is a target. Navigate to the GreyNoise Analysis feature, paste the IPs above into the search bar, and download the CSV of malicious IPs for immediate blocking actions.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has detected active exploitation of 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs, including vulnerabilities affecting enterprise software, security appliances, and widely used web applications.
CVE-2023-6875 is being exploited despite not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence beyond static lists.
Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft Exchange, and Cisco IOS XE.
GreyNoise is not attributing this activity to the ransomware group, Black Basta. Rather, we are observing active exploitation of a subset of the 62 CVEs mentioned in the group’s leaked chat logs.
GreyNoise confirms active exploitation of 23 of the 62 CVEs. However, since not all 62 are trackable by GreyNoise, the actual number of exploited vulnerabilities may be higher.
GreyNoise Confirms Active Exploitation of CVEs Listed in Black Basta’s Leaked Chats
A major leak of internal chat logs from the Black Basta ransomware group has revealed 62 CVEs discussed by the group — offering a glimpse into the vulnerabilities considered for exploitation by one of the most active ransomware operators. The list, first compiled by VulnCheck, underscores how attackers continue to target publicly known vulnerabilities long after disclosure.
To assess real-world impact, GreyNoise analyzed internet-wide exploitation activity for these vulnerabilities. Our data confirms that 23 of these CVEs are actively being exploited, including in enterprise software, security appliances, and widely used applications.
Observed Exploitation Activity
Below we see that 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs have been targeted within the past 30 days.
CVE-2023-36845 – Juniper Junos OS PHP External Variable Control
CVE-2023-22515 – Atlassian Confluence Broken Access Control
CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation
CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution
CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection
CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)
How Defenders Can Respond
Organizations should immediately assess their exposure to the actively exploited CVEs from this blog and take the following steps:
Patch these vulnerabilities — especially those being actively exploited in the last 24 hours.
Use GreyNoise’s intelligence to prioritize and validate real-world threats.
Move beyond KEV — CVE-2023-6875 underscores the importance of real-time intelligence over advisories and lists.
How to Investigate These CVEs in GreyNoise
GreyNoise customers: Log in to the GreyNoise product, navigate to the CVEs tab, paste the 62 CVEs, and select “SEARCH” to see real-time exploitation activity.
Free users: GreyNoise allows you to search for exploitation activity one CVE at a time via our free lookup tool.
Full List of CVEs Mentioned in Black Basta’s Leaked Chat Logs
The following 62 CVEs were identified in Black Basta’s leaked chat logs by VulnCheck. Organizations can use this list to assess their exposure.
CVE-2024-3400
CVE-2024-27198
CVE-2024-26169
CVE-2024-25600
CVE-2024-24919
CVE-2024-23897
CVE-2024-23113
CVE-2024-23109
CVE-2024-23108
CVE-2024-21762
CVE-2024-21683
CVE-2024-21413
CVE-2024-21378
CVE-2024-21338
CVE-2024-1709
CVE-2024-1708
CVE-2024-1086
CVE-2023-7028
CVE-2023-7027
CVE-2023-6875
CVE-2023-4966
CVE-2023-42793
CVE-2023-42115
CVE-2023-38831
CVE-2023-36884
CVE-2023-36874
CVE-2023-36845
CVE-2023-36844
CVE-2023-36745
CVE-2023-36394
CVE-2023-35628
CVE-2023-3519
CVE-2023-3467
CVE-2023-3466
CVE-2023-29357
CVE-2023-23397
CVE-2023-22515
CVE-2023-21716
CVE-2023-20198
CVE-2022-41352
CVE-2022-41082
CVE-2022-41040
CVE-2022-37969
CVE-2022-37042
CVE-2022-30525
CVE-2022-30190
CVE-2022-27925
CVE-2022-26134
CVE-2022-22965
CVE-2022-1388
CVE-2022-0609
CVE-2021-44228
CVE-2021-42321
CVE-2021-42287
CVE-2021-42278
CVE-2021-40444
CVE-2021-28482
CVE-2021-26855
CVE-2020-1472
CVE-2017-5754
CVE-2017-5753
CVE-2017-11882
GreyNoise will continue monitoring exploitation trends in real time. Stay updated by following GreyNoise’s threat intelligence reports, platform updates, and by visiting the GreyNoise visualizer.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has observed active exploitation of CVE-2023-20198, with 110 malicious IPs actively targeting vulnerable Cisco devices, primarily from Bulgaria, Brazil, and Singapore.
Two malicious IPs exploited CVE-2018-0171 in December 2024 and January 2025, originating from Switzerland and the United States — the same period when Salt Typhoon, a Chinese state-sponsored threat group, reportedly breached telecom networks using CVE-2023-20198 and CVE-2023-20273.
CVE-2018-0171 was disclosed seven years ago, yet remains in use by advanced attackers.
Unpatched Cisco systems are being actively targeted. Organizations should take immediate action.
Recent analyses have highlighted that Salt Typhoon, a Chinese state-sponsored cyber espionage group, has been actively targeting Cisco devices. The group employs various tactics, including the use of legitimate login credentials and, in some instances, exploiting known vulnerabilities such as CVE-2018-0171.
Between December 2024 and January 2025, Salt Typhoon reportedly leveraged CVE-2023-20198 and CVE-2023-20273 to compromise five additional telecom networks, including entities in the United States.
GreyNoise Observations
GreyNoise’s global observation grid (GOG) has detected malicious exploitation attempts against two Cisco vulnerabilities linked to these attacks:
CVE-2018-0171 (IOS and IOS XE Smart Install Remote Code Execution)
Observed: Two malicious IPs exploited this vulnerability in December 2024 and January 2025.
These IPs were traced to Switzerland and the United States.
Cisco Talos reported Salt Typhoon likely used this CVE in real-world attacks.
GreyNoise will continue monitoring for changes in exploitation patterns and provide updates as new intelligence emerges. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
Important: These CVEs were referenced in recent Salt Typhoon reports, but we are NOT attributing this activity to Salt Typhoon — only confirming that exploitation is occurring.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
---
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise now sees 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13.
Top 3 source countries of attack traffic: United States, Germany, Netherlands.
Palo Alto Networks confirmed active exploitation and classified the CVE as ‘Highest Urgency’ for defenders.
CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.
Active Exploitation Detected in the Wild
GreyNoise can confirm active exploitation of CVE-2025-0108.
Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
---
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
GreyNoise has identified a significant spike in exploitation activity targeting two vulnerabilities — one already flagged by government agencies as a top target, and another flying under the radar despite real-world attacks increasing.
CVE-2022-47945 (ThinkPHP LFI) – A local file inclusion vulnerability in ThinkPHP that is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog and has a low EPSS score (7%), yet GreyNoise has observed a surge in exploitation attempts.
CVE-2023-49103 (ownCloud GraphAPI Information Disclosure) – A vulnerability already highlighted in a joint advisory from CISA, NSA, and FBI as one of the most exploited in 2023, and exploitation continues to rise.
Both vulnerabilities highlight a growing concern in how organizations prioritize patching:
Are security teams overlooking major threats because they don’t appear in KEV or have low EPSS scores?
How many other actively exploited vulnerabilities are slipping through the cracks?
What We’re Seeing: Surging Exploitation Activity
GreyNoise has observed a rapid increase in exploit attempts for both vulnerabilities over the past 10 days.
Observed Exploitation Attempts for CVE-2022-47945 (ThinkPHP LFI)
Observed Exploitation Attempts for CVE-2023-49103 (ownCloud GraphAPI)
Attackers are actively scanning and targeting these vulnerabilities yet only one is included in KEV, raising questions about how security teams are prioritizing threats.
CVE-2022-47945 (ThinkPHP LFI) - A Growing Target
ThinkPHP before version 6.0.14 is vulnerable to local file inclusion (LFI) via the `lang` parameter when language packs are enabled.
GreyNoise has observed 572 unique IPs attempting to exploit this vulnerability, with activity increasing in recent days.
ThinkPHP vulnerabilities have been targeted by Chinese attackers in past campaigns.
EPSS and KEV don’t always align with real-world risk. CVE-2022-47945 has a low EPSS score (7%) yet is actively being exploited.
CVE-2023-49103 remains a high-value target after being listed on KEV over a year ago.
Real-time attack data is critical. Organizations overrelying on KEV and EPSS risk overlooking threats that attackers are actively scanning and exploiting. What’s being targeted and when can change in an instant, necessitating a real-time view of attacker activity.
Mitigation Recommendations
Patch immediately — Upgrade ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+.
Monitor and block known malicious IPs — Use real-time GreyNoise data to track and mitigate active threats.
Restrict exposure — Reduce access to affected services where possible to limit attack surface.
A Larger Trend: Are We Prioritizing the Wrong Vulnerabilities?
The difference in how these two CVEs are being treated highlights a broader challenge in vulnerability management.
How many actively exploited vulnerabilities are being overlooked due to low EPSS scores?
Are organizations placing too much trust in KEV alone, and EPSS, when prioritizing patching?
What role should real-time exploitation intelligence play in risk management?
Attackers are making their priorities clear. See live exploitation trends now for CVE-2023-49103 and CVE-2022-47945.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
2025-01-29 Update After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).
VulnCheck disclosed CVE-2024-40891 to their partners as "Zyxel CPE Telnet Command Injection" on August 1, 2024, but as of this writing, the CVE has not yet been officially published by the vendor, nor have they published an advisory. Last week, researchers from GreyNoise collaborated with VulnCheck to verify the accuracy of the detection, ensuring that the traffic is linked to this CVE specifically. GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.
Network Monitoring: Filter traffic for unusual telnet requests to Zyxel CPE management interfaces.
Patch Readiness: Monitor Zyxel’s security advisories for updates and apply patches or mitigations immediately, if released. Halt the use of devices that have reached end-of-life.
Mitigation: Restrict administrative interface access to trusted IPs and disable unused remote management features.
GreyNoise users can track live exploitation patterns, including attacker IP addresses, for this CVE here.
GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.
.png)
.png)
.png)
