Threat Signals

On August 3, GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume we’ve seen on this tag in recent months. 

‍

‍

‍

‍

New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks. In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products. The below chart shows spikes in activity against Fortinet tags (white dots) and CVE disclosures affecting Fortinet products (red dots): 

Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs. This was not opportunistic — it was focused activity. 

The top target countries in the past 90 days are Hong Kong and Brazil. 

‍

A Tale of Two Brute Force Waves Against Fortinet

When we reviewed a two week window of traffic matching the Fortinet SSL VPN Bruteforcer tag, two distinct waves emerged: 

• Wave One: A long-running set of brute-force activity tied to a single TCP signature that remained relatively steady over time. 
• Wave Two: A sudden and concentrated burst of traffic beginning August 5. This second wave had a completely different TCP signature and stood out due to its abrupt onset. 

This made the decision easy: we pivoted to the second wave to learn more. 

‍

A Shift in Targeting: From VPN to FortiManager

Once the TCP signature for the second wave was isolated, we paired it with an observed client signature seen in sessions during the same timeframe. 

What we found was surprising. 

While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures — a meta signature — from August 5 onward was not hitting FortiOS. Instead, it was consistently targeting our FortiManager - FGFM profile albeit still triggering our Fortinet SSL VPN Bruteforcer tag. 

This indicated a shift in attacker behavior — potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service. 

IPs associated with the meta signature:

31.206.51.194
23.120.100.230
96.67.212.83
104.129.137.162
118.97.151.34
180.254.147.16
20.207.197.237
180.254.155.227
185.77.225.174
45.227.254.113

‍

A Residential Clue

One additional lead emerged during the investigation. 

When reviewing historical data tied to the same post-August 5 TCP fingerprint, we found an earlier spike in June with a unique client signature that resolved to an IP — a FortiGate device — in a residential ISP block (Pilot Fiber Inc.). This may indicate that the brute-force tooling was initially tested or launched from a home network — or it could reflect use of a residential proxy. A quick search of the device revealed: 

• Not detected as a residential proxy or host of VPN services by Spur.us. 
• Recent detections by AbuseDB.
• Not seen on Virustotal.

Notably, traffic tied to that same client signature in June was later seen paired with the same TCP signature associated with the longer-running brute-force cluster (Wave One) mentioned earlier. This overlap doesn’t confirm attribution, but it suggests possible reuse of tooling or network environments. Simply put, this side quest led us back to the original traffic associated with the August 3 spike. 

‍

Key Takeaways

• Brute-force attacks against Fortinet SSL VPN continue, and they appear to evolve over time.
• GreyNoise uncovered a behavioral shift, with traffic moving from FortiOS targeting to FGFM targeting just days after the August 3 spike. 
• JA4+ based signatures reveal clustering, connecting recent waves to prior traffic — and even a potential residential origin. 
• GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor — with 80 percent of observed cases followed by a CVE disclosure within six weeks. 

‍

Defender Recommendations

Use GreyNoise to:

• Search for this traffic using our Fortinet SSL VPN Bruteforcer tag.
• Block malicious IPs using our dynamic IP blocklist for this tag. 

‍

‍

Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.

GreyNoise will continue monitoring the situation and provide updates as necessary. 

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

— — — 

‍

^{This research and discovery was a collaborative effort between Towne Besel and Noah Stone.} ‍

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4. 

We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer. 

‍

Key Observations

• First observed activity: June 23, 2025
• PoC released: July 4, 2025
• GreyNoise tag published: July 7, 2025
• CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition) 

‍

‍

‍

Targeted Behavior 

Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting. 

‍

CISA Confirmation 

On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog. 

‍

Recommended Actions

Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts. 

‍

‍

The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.

‍

‍GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28. 

Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs.

‍

‍

‍

These patterns often coincide with new vulnerabilities emerging two to four weeks later.

‍

Key Findings 

• 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days.
• The surge began on May 27 — prior activity was near-zero.
• 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure. 
• Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34). 
• Top destination countries include the United Kingdom, United States, Germany, France, and Mexico. 
• The overwhelming majority of scanner IPs geolocate to the United States. 

‍

Confirmed Exploitation Attempts on June 12

GreyNoise also observed low-volume exploitation attempts on June 12, 2025, associated with two previously disclosed MOVEit Transfer vulnerabilities: 

‍

CVE-2023-34362

‍

‍

‍

CVE-2023-36934

‍

‍

‍

These events occurred during the period of heightened scanning and may represent target validation or exploit testing, but at this time, no widespread exploitation has been observed by GreyNoise. 

‍

Infrastructure Concentration Suggests Deliberate Scanning

A significant portion of scanner IPs are hosted by a small number of cloud providers: 

• Tencent Cloud (ASN 132203) accounts for 44% of all scanner IPs.
• Other contributors include Cloudflare, Amazon, and Google. 

This level of infrastructure concentration — particularly within a single ASN — suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing. 

‍

Defender Recommendations

Organizations should take the following steps: 

1. Dynamically block malicious and suspicious IPs using GreyNoise Block:

‍

‍

2. Audit public exposure of any MOVEit Transfer systems. 

3. Apply patches for known vulnerabilities, including CVE-2023-34362 and CVE-2023-36934.

4. Monitor real-time attacker activity against MOVEit Transfer by navigating to each respective GreyNoise tag:

• MOVEit Transfer Scanner
• CVE-2023-34362
• CVE-2023-36934

‍

We will continue to monitor the situation and provide updates as necessary. 

‍

‍GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍

‍On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. 

‍

Key Stats

• CVE: CVE-2023-28771
• Exploit method: UDP port 500 (IKE packet decoder) 
• Date observed: June 16, 2025
• Duration of activity: One day (June 16, 2025)
• Unique IPs: 244
• Top destination countries: U.S., U.K., Spain, Germany, India.
• IP classification: All malicious per GreyNoise
• Infrastructure: Verizon Business (all IPs geolocated to U.S.)
• Spoofable traffic: Yes (UDP-based)

‍

Observed Activity

Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.

The top destination countries were the U.S., U.K., Spain, Germany, and India.

Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.

‍

‍

IP Analysis 

All 244 IP addresses are registered to Verizon Business infrastructure and geolocated to the United States. However, because CVE-2023-28771 is exploited over UDP (port 500), spoofing is possible and these IPs may not reflect the true source of the traffic. 

Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants, as confirmed by VirusTotal. Example payload, and IP metadata below: 

‍

‍

‍

Recommendations

• Block malicious IPs: While spoofing is possible, GreyNoise has classified all 244 IPs as malicious. Defenders should immediately block these IPs while monitoring for related activity. 
• Review Zyxel device exposure: Verify that any internet-exposed Zyxel devices are patched for CVE-2023-28771. 
• Monitor for post-exploitation activity: Exploit attempts may lead to botnet enlistment or additional compromise. Monitor affected devices for anomalies. 
• Limit unnecessary IKE/UDP port 500 exposure: Apply network filtering where possible to reduce unnecessary exposure. 

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale. 

‍

Summary of Observed Activity

‍

Tomcat Manager Brute Force Attempt

• 250 unique IPs observed 
• Baseline range: 1-15 IPs
• All classified as malicious 

‍

‍

‍

Tomcat Manager Login Attempt

• 298 unique IPs observed 
• Baseline range: 10-40 IPs
• 99.7% classified as malicious 

‍

‍

‍

Summary of Observed Activity

Roughly 400 unique IPs were involved in the activity observed across both tags during this period of elevated activity. Most of the activity originating from these IPs exhibited a narrow focus on Tomcat services. 

A significant portion of this activity originated from infrastructure hosted by DigitalOcean (ASN 14061). 

‍

Recommendations for Defenders

Immediately block the malicious IPs engaged in this activity with GreyNoise Block

‍

‍

While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning of future exploitation.  

Organizations with Tomcat Manager interfaces accessible over the internet should verify that strong authentication and access restrictions are in place. Reviewing recent login activity for anomalies is also advised. 

GreyNoise will continue monitoring for shifts in behavior or signs of follow-on exploitation. Subscribe to the GreyNoise Blog for updates. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Key Takeaways

• 251 malicious IPs, all hosted by Amazon and geolocated in Japan, launched a coordinated one-day scan on May 8.
• These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity. 
• All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation. 
• Overlap analysis confirms tight coordination, not random scanning. 
• Targeted technologies included ColdFusion, Apache Struts, Elasticsearch, WebLogic, Tomcat, and more. 
• All 251 IPs are classified as malicious by GreyNoise.
• This activity reflects patterns outlined in GreyNoise’s latest study, which tracks the reemergence of long-dormant threats. 
• Defenders should take action now: check May 8 logs, block the 251 IPs, dynamically block IPs targeting these 75 tags, and monitor for follow-up exploitation. 
• Similar scanning behavior preceded the discovery of two zero-days in Ivanti EPMM, reinforcing the need to treat coordinated scanning as an early warning signal. 

‍

A Brief, Coordinated Reconnaissance Operation 

On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. Over the span of a single day, these IPs triggered 75 distinct scanning behaviors, each tracked by a GreyNoise tag — ranging from exploitation attempts for known CVEs to probes for misconfigurations and weak points in web infrastructure. 

This operation was opportunistic — as is all scanning observed by GreyNoise — but the infrastructure and execution suggest centralized planning. Every IP was active only on May 8, with no noticeable activity immediately before or after, indicating temporary use of cloud infrastructure rented specifically for this operation.  

‍

Targeted Technologies 

Some of the behaviors observed included exploit attempts for: 

• Adobe ColdFusion — CVE-2018-15961 (RCE)
• Apache Struts — CVE-2017-5638 (OGNL Injection)
• Elasticsearch — CVE-2015-1427 (Groovy Sandbox Bypass RCE)
• Atlassian Confluence — CVE-2022-26134 (OGNL Injection)
• Bash — CVE-2014-6271 (Shellshock)

These CVEs, while disclosed years ago, continue to attract interest from opportunistic attackers — a pattern explored in our latest research, which tracks the return of long-disclosed flaws to the threat landscape. 

‍

Scope of the Scan: 75 Exposure Behaviors

The 251 IPs collectively triggered 75 distinct scanning behaviors, including: 

• Old vulnerability exploits — ColdFusion, Struts, WebLogic, Drupal, Tomcat, Elasticsearch.  
• Recon and enumeration techniques — WordPress author checks, CGI script scanning, web.xml access attempts. 
• Misconfiguration probes — Git config crawlers, ENV variable exposures, shell upload checks. 

This wasn’t an operation focused on one exploit or tech stack. It reflected a broad-spectrum search for any exposed system — particularly older edge infrastructure that may be overlooked in patch cycles. 

The 2025 Verizon DBIR revealed the edge as a critical risk, reporting concerning trends across time-to-mass-exploit and remediation lags in edge technologies. 

‍

Infrastructure Overlap Suggests Central Control

GreyNoise analysis revealed the following: 

• 295 IPs scanned for ColdFusion (CVE-2018-15961).
• 265 IPs scanned for Apache Struts (CVE-2017-5638).
• 260 IPs scanned for Elasticsearch Groovy (CVE-2015-1427).
• 262 IPs overlapped between ColdFusion and Struts.
• 251 IPs overlapped across all three — and triggered 75 GreyNoise tags. 

This level of overlap points to a single operator or toolset deployed across many temporary IPs — an increasingly common pattern in opportunistic but orchestral scanning. 

‍

Block These Malicious IPs

GreyNoise has compiled the full list of all 251 malicious IPs observed in this operation. 

13.112.127.102,13.112.137.152,13.112.240.11,13.112.5.89,13.112.69.56,13.113.0.143,13.113.184.40,13.113.217.149,13.114.127.223,13.114.149.129,13.114.218.63,13.114.31.226,13.114.60.193,13.114.98.0,13.115.180.180,13.115.202.46,13.115.229.240,13.115.2.3,13.115.69.54,13.115.71.29,13.230.129.147,13.230.147.105,13.230.225.215,13.230.233.152,13.230.5.184,13.230.8.99,13.230.96.118,13.231.106.81,13.231.146.138,13.231.146.225,13.231.146.246,13.231.153.70,13.231.174.40,13.231.179.96,13.231.184.66,13.231.185.166,13.231.189.33,13.231.191.131,13.231.212.197,13.231.213.253,13.231.214.67,13.231.224.0,13.231.232.177,13.231.232.45,13.231.41.82,13.231.5.78,175.41.228.130,18.176.55.146,18.176.59.175,18.177.143.78,18.177.146.44,18.179.142.39,18.179.197.80,18.179.198.67,18.179.206.138,18.179.30.23,18.179.45.108,18.179.45.73,18.179.46.150,18.179.46.189,18.179.61.223,18.181.212.31,18.182.15.49,18.182.26.23,18.182.9.108,18.182.9.65,18.183.102.143,18.183.102.157,18.183.105.164,18.183.131.125,18.183.165.137,18.183.168.179,18.183.168.64,18.183.176.53,18.183.186.98,18.183.208.224,18.183.213.115,18.183.221.123,18.183.225.18,18.183.229.102,18.183.233.113,18.183.245.235,18.183.248.39,18.183.75.21,18.183.80.208,3.112.124.171,3.112.131.166,3.112.14.18,3.112.150.85,3.112.18.153,3.112.18.248,3.112.203.162,3.112.208.32,3.112.211.126,3.112.218.237,3.112.227.46,3.112.231.205,3.112.233.225,3.112.235.102,3.112.238.114,3.112.253.75,3.112.26.102,3.112.28.119,3.112.32.198,3.112.32.225,3.112.5.87,3.113.0.228,3.113.0.28,3.113.15.97,3.113.25.14,3.113.32.74,35.72.14.113,35.72.14.164,35.72.4.135,35.72.9.173,35.77.105.104,35.77.90.69,35.77.93.26,43.206.215.21,43.206.231.122,43.206.234.13,43.206.235.211,43.206.253.231,43.207.0.130,43.207.103.240,43.207.105.145,43.207.115.43,43.207.118.103,43.207.1.24,43.207.139.186,43.207.150.212,43.207.155.29,43.207.155.87,43.207.166.102,43.207.170.51,43.207.191.167,43.207.198.203,43.207.201.71,43.207.202.54,43.207.203.44,43.207.225.86,43.207.232.1,43.207.232.100,43.207.3.58,43.207.74.241,43.207.79.249,43.207.81.76,52.192.111.156,52.192.125.55,52.192.14.49,52.192.27.19,52.192.56.196,52.192.99.140,52.194.205.49,52.194.220.244,52.194.248.125,52.194.250.54,52.194.254.213,52.195.11.174,52.195.12.82,52.195.171.70,52.195.177.128,52.195.181.143,52.195.183.23,52.195.189.155,52.195.189.78,52.195.194.167,52.195.207.5,52.195.208.52,52.195.209.222,52.195.211.238,52.195.218.94,52.195.221.157,52.195.3.244,52.195.8.164,52.197.210.229,52.199.10.181,52.199.149.12,52.199.199.160,52.199.253.240,52.199.8.84,52.68.188.9,52.68.94.94,52.69.157.91,52.69.46.191,54.150.219.131,54.168.241.135,54.168.247.234,54.168.71.21,54.178.0.190,54.178.114.236,54.178.4.74,54.178.5.144,54.199.101.111,54.199.161.31,54.199.176.59,54.199.40.192,54.199.77.18,54.199.94.62,54.238.101.236,54.238.147.176,54.238.179.56,54.238.189.57,54.238.237.183,54.238.237.9,54.238.4.12,54.238.80.76,54.248.152.214,54.248.156.216,54.248.201.195,54.248.36.134,54.249.121.50,54.249.133.28,54.249.155.117,54.249.219.65,54.249.26.220,54.250.153.158,54.250.161.184,54.250.16.51,54.250.188.209,54.250.237.20,54.250.241.63,54.250.244.142,54.250.244.229,54.250.33.160,54.250.33.94,54.65.130.227,54.65.45.54,54.95.18.182,54.95.193.225,54.95.23.202,54.95.23.87,54.95.36.237,57.180.10.227,57.180.18.215,57.180.242.12,57.180.246.9,57.180.248.217,57.180.27.121,57.180.35.101,57.180.38.232,57.180.40.26,57.180.41.47,57.180.42.39,57.180.47.171,57.180.47.190,57.180.48.122,57.180.56.170,57.180.9.137,57.181.30.246,57.181.37.146

Defenders should block these IPs immediately. While follow-up exploitation may come from different infrastructure, GreyNoise classified all 251 IPs as malicious in real time. Dynamic IP blocking using GreyNoise allows defenses to respond instantly to new scanning infrastructure as it appears, removing guesswork and reducing exposure windows. 

‍

Dynamically Block IPs Targeting These 75 Tags

Identify which of the 75 GreyNoise tags apply to your environment and dynamically block IPs engaging in that activity. 

Edge & Middleware RCEs

‍

CMS & Web App Exploits

‍

IoT & Hardware Targets

‍

Reconnaissance & Crawlers

‍

File Uploads & Web Shells

‍

SQLi & Path Traversal

‍

Legacy & Resurgent CVEs

‍

Authentication & Config Scans

‍

Miscellaneous or Unclassified

‍

GreyNoise will continue to monitor this situation and provide updates as necessary. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

The bottom line: Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after GreyNoise reported a surge in scanning activity against other Ivanti technologies last month. Immediate patching is required.

‍

‍

Why It Matters

When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM) systems. In April, GreyNoise warned about a 9X surge in scanning against Ivanti products — that reconnaissance has now transitioned to exploitation.

‍

The Vulnerabilities

• CVE-2025-4427 (CVSS: 5.3): Authentication bypass via improper validation sequence
• CVE-2025-4428 (CVSS: 7.2): Remote code execution through Expression Language injection

How they work: The flaws target the /api/v2/featureusage and /api/v2/featureusage_history endpoints. Input validation occurs before authentication checks, allowing attackers to inject malicious code without credentials.

‍

What We're Seeing

• We initialy observed a small number of attempts to exploit CVE-2025-4427 from one IP address — 212.102.51.249 — on 2025-05-16 (~02:30 GMT), but only attacking our Ivanti sensors, so the attacks are unlikely to be random/opportunistic in nature
• The IP count has since risen to three — all non-spoofable and malicious, originating from Indonesia, United States, and India.
• Pattern follows predicted reconnaissance → exploitation lifecycle
• Activity tracked via our CVE-2025-4427 🏷️ 

‍

Who Discovered It

Credit to Project Discovery and WatchTowr for their excellent technical analysis:

• Project Discovery revealed validation precedes authorization in Spring MVC's workflow.
• WatchTowr provided detailed proof-of-concept exploits showing the order-of-operations issue.

Affected Versions & Patches

Vulnerable:

• 11.12.0.4 and earlier
• 12.3.0.1, 12.4.0.1, 12.5.0.0

‍

Patched:

• 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

‍

Take Action Now

1. Patch immediately to fixed versions.
2. Review logs for suspicious API activity.
3. Block malicious IPs using GreyNoise Intelligence tag-focused block lists.
4. Implement WAF rules if patching is delayed.
5. Hunt for IOCs focusing on unusual API access patterns.

‍

The Big Picture

This case demonstrates why monitoring scanning trends provides early warning of attacks. The exploitation activity is currently limited, but will likely accelerate as more threat actors incorporate these vulnerabilities into their toolkits.

Organizations with Portal ACLs or WAF restrictions have reduced exposure, but patching remains the only complete solution.

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

‍

‍GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files. 

‍

‍

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

‍

‍

Majority of IPs are Malicious — Potential Regional Targeting

GreyNoise observed nearly 4,800 unique IP addresses daily from April 20-21, marking a substantial increase compared to typical levels. Although activity was globally distributed, Singapore ranked as both the top source and destination for sessions during this period, followed by the U.S. and Germany as the next most common destinations. 

Likewise, in the past 90 days by unique IP count, Singapore remains the top source and destination country for this activity. None of the IPs are spoofed, indicating the traffic originated from the IPs observed. GreyNoise can confirm that 95% of all IPs engaged in this behavior in the past 90 days are malicious.  

‍

Top Source Countries:

• Singapore (4,933 unique IPs)
• U.S. (3,807 unique IPs)
• Germany (473 unique IPs)
• U.K. (395 unique IPs)
• Netherlands (321 unique IPs)

‍

Top Destination Countries: 

• Singapore (8,265 unique IPs)
• U.S. (5,143 unique IPs)
• Germany (4,138 unique IPs)
• U.K. (3,417 unique IPs)
• India (3,373 unique IPs)

The IPs are linked to cloud infrastructure providers such as Cloudflare, Amazon, and DigitalOcean.

‍

Four Spikes Since September — April the Largest Yet

Since September 2024, GreyNoise has observed four distinct spikes in Git configuration crawling activity, each involving approximately 3,000 unique IPs — with the April 20-21, 2025 spike marking the largest to date. 

‍

‍

The late February spike tells somewhat of a different story in terms of source and destination session traffic:

‍

Top Source Countries:

• Netherlands 
• U.S. 
• Germany

‍

Top Destination Countries:

• U.S.
• U.K. 
• Spain

‍

Why It Matters

Git configuration files can reveal: 

• Remote repository URLs (GitHub, GitLab)
• Branch structures and naming conventions 
• Metadata that provides insight into internal development processes

In some cases, if the full .git directory is also exposed, attackers may be able to reconstruct the entire codebase — including commit history, which may contain confidential information, credentials, or sensitive logic. 

In 2024, a Git configuration breach exposed 15,000 credentials and resulted in 10,000 cloned private repositories. 

‍

Recommendations

To prevent this type of exposure: 

• Ensure .git/ directories are not accessible via public web servers
• Block access to hidden files and folders in web server configurations
• Monitor logs for repeated requests to .git/config and similar paths
• Rotate any credentials exposed in version control history

‍

Related CVE:

CVE-2021-23263

‍

GreyNoise will continue to monitor the situation and provide updates as necessary. To stay abreast of the latest developments, please navigate to the top of this page and subscribe to our blog. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 20, 2025 Update:

Our April 23 report highlighted a sharp surge in scanning activity targeting Ivanti Connect Secure and Pulse Secure products. Just weeks later, two zero-day vulnerabilities were disclosed in Ivanti EPMM — a separate but related technology. Click the yellow button below to view attacker IPs targeting these zero-days in real time.

‍

‍

While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities. It’s a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation. 

For defenders, this reinforces the value of watching real-time reconnaissance trends. Watching scanning patterns offers a rare opportunity to anticipate zero-days before they surface and proactively harden exposed systems.

‍

‍

On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. 

More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. 

‍

‍

What We’re Seeing

GreyNoise has a tag tracking suspicious scanning activity for Ivanti Connect Secure systems. This tag includes IPs observed attempting to identify internet-accessible ICS/IPS systems.

‍

‍

Observed Spike: 234 Unique IPs on April 18, 2025

Observed Activity in Past 90 Days: 1,004 Unique IPs 

Spoofable IPs: 0% (All IPs are not spoofable)

IP Classifications: 

• 634 Suspicious
• 244 Malicious
• 126 Benign

‍

Top 3 Source Countries:

• U.S. 
• Germany 
• Netherlands

‍

Top 3 Destination Countries:

• U.S. 
• Germany 
• U.K.

‍

Infrastructure Insights

A closer look at the source infrastructure reveals a notable split in behavior:

• Malicious IPs (those observed in other known malicious activity) are primarily using: 
  
  • Tor exit nodes
  • Common cloud and VPS providers with familiar names. 
• Suspicious IPs are linked to:
  
  • Lesser-known or niche hosting providers. 
  • Less mainstream cloud infrastructure. 

‍

Why This Matters

Ivanti Connect Secure has been targeted repeatedly in recent years due to its role in enterprise remote access. 

While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities. 

‍

Recommended Defensive Actions

Security teams should: 

• Review logs for suspicious probes of ICS/IPS.
• Monitor login activity from new or suspicious IPs. 
• Block known malicious or suspicious IPs using GreyNoise. 
• Patch all ICS/IPS systems with the latest updates. 

‍

GreyNoise will continue tracking this activity and will publish updates as necessary. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — — 

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has observed a significant spike — 3 times that of typical activity — in exploitation attempts against TVT NVMS9000 DVRs, peaking on April 3 at over 2,500 unique IPs. This information disclosure vulnerability can be used to gain administrative control over affected systems. 

GreyNoise has identified sufficient overlap with Mirai, indicating this activity is associated with the botnet. Countless reports in the past have named the TVT NVMS9000 DVR as a target for botnet enlistment, including a GreyNoise update reporting Mirai targeting in early March. 

Manufactured by TVT Digital Technology Co., Ltd., a Shenzhen-based company, NVMS9000 DVRs are reportedly used in security and surveillance systems. The DVRs are used for recording, storing, and managing video footage from security cameras. A company report mentions TVT has “served customers in more than 120 countries.” 

Most malicious IP addresses are targeting systems based in the United States, United Kingdom, and Germany. 

‍

GreyNoise Observations 

On March 31, 2025, GreyNoise observed the beginning of a surge in unique IP addresses attempting to exploit the NVMS9000 DVR. The number of IPs peaked at over 2,500 on April 3, with over 6,600 IPs attempting to exploit the flaw in the past 30 days. 

GreyNoise can confirm that all IPs targeting the flaw in the past 30 days are malicious, and none of them are spoofable. 

‍

‍

Attackers could potentially use this flaw to gain full control of the DVR. 

‍

Source and Destination Countries

The majority of IPs in the past 30 days have originated from the Asia-Pacific (APAC) region, while the U.S., U.K., and Germany are the top target countries.  

‍

Top Source Countries

• Taiwan (3,637 IPs)
• Japan (809 IPs)
• South Korea (542 IPs). 

‍

Top Destination Countries

• United States (6,471 IPs)
• United Kingdom (5,738 IPs)
• Germany (5,713 IPs). 

‍

Mitigations 

Organizations using the NVMS9000 DVR or similar systems should ensure that they are properly secured. Recommended actions include: 

• Use GreyNoise to block known malicious IP addresses attempting to exploit this vulnerability. 
• Apply all available patches.
• Restrict public internet access to DVR interfaces. 
• Monitor network traffic for signs of unusual scanning or exploitation attempts. 

Monitor attacker activity targeting this flaw and block malicious IPs. 

‍

Stay updated by visiting the GreyNoise tag for this activity. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

April 7, 2025 Update

After GreyNoise’s reporting of heightened activity targeting key technologies on March 28, we now observe on April 7 a significant rise in exploitation attempts against Linksys E-Series routers. 

GreyNoise assesses the activity is linked to Mirai. 

The associated GreyNoise tag is:

• Linksys E-Series TheMoon Remote Command Injection Attempt

‍

‍

These updates come at a time when routers and other edge technologies are reportedly attracting significant interest from advanced, well-resourced attackers.

‍

On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. 

This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks. 

‍

Observed Activity 

GreyNoise telemetry indicates a marked increase in in-the-wild activity targeting these systems.

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

Ivanti

‍

SonicWall

‍

Zoho

‍

Zyxel

‍

F5

‍

Linksys 

‍

Recommended Actions

1. Patch Management: Ensure that all systems are up to date with the latest security patches to mitigate known vulnerabilities. 
2. Network Monitoring: Closely monitor traffic — retroactively analyzing March 28 logs — for unusual patterns or activity targeting these systems. 
3. Threat Intelligence & Dynamic Blocking: Use GreyNoise to view real-time activity targeting these systems, and to block malicious IPs. 

View real-time activity and block malicious IPs by navigating to the GreyNoise Visualizer’s CVE Search feature and pasting CVEs of interest. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

May 2, 2025 Update:  

GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals — dropping by more than 99 percent within 48 hours of our March 31 report. 

Opportunistic scanning activity fell from a peak of 20,000 unique IPs per day to just over 100 per day, and remained low through April until now.

3xK Tech GmbH IP Infrastructure Abused

The majority of IPs involved in this activity are associated with the provider, 3xK Tech GmbH — accounting for nearly 20,000 of the 25,000+ IPs observed in the past 90 days. Of the physical subnets in which these IPs exist, 80 to 90 percent were involved in this activity. 

Similar to recent GreyNoise reporting on Git Config scanning, where actors abused Cloudflare infrastructure, actors are now relying heavily on infrastructure provided by 3xK Tech GmbH.

Threat actors are increasingly rotating between infrastructure providers, making provider-based blocking both ineffective and unsustainable. Dynamic IP blocking is essential to defend against these threats and future ones alike.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

‍

GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. 

Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future: 

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.” 

‍

Key Observations 

• The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. 
• Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs). 

The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals. 

‍

‍

A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.

Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool: 

• po11nn11enus_967778c7bec7_000000000000_000000000000
• po11nn09enus_fb8b2e7e6287_000000000000_000000000000
• po11nn060000_c4f66731b00d_000000000000_000000000000

These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.

Source and Destination Analysis 

• Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.  
• Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. 

These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.

‍

Concurrent Crawler Activity Detected

The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs. 

‍

‍

Reminiscent of 2024 Espionage Campaign

This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access. 

‍

Recommendations

Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.

View Attacker Activity & Block Malicious IPs

GreyNoise will continue to monitor the situation and provide updates if material developments arise. 

Navigate now to the GreyNoise Visualizer to:

‍

‍

Use GreyNoise Block to block malicious IPs. Get started with a free 14-day trial.

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Following reports of widespread reboots affecting DrayTek routers globally, GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices. While we cannot confirm a direct connection between this activity and the reported reboots, we are surfacing this data to help defenders monitor and respond accordingly.

Observed In-The-Wild Activity 

GreyNoise has observed in-the-wild activity against the following CVEs:

• CVE-2020-8515 — a remote code execution vulnerability in multiple DrayTek router models. 
• CVE-2021-20123 — a directory traversal vulnerability in DrayTek VigorConnect. 
• CVE-2021-20124 — a second directory traversal vulnerability in DrayTek VigorConnect. 

Below is a breakdown of recent in-the-wild activity observed by the GreyNoise Global Observation Grid (GOG).

Across all CVEs, GreyNoise has observed the following activity in the past 45 days:

‍

By CVE, we’ve seen the following: 

‍

CVE-2020-8515: Remote Code Execution 

• No activity in the past 24 hours. 
• 82 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Indonesia, Hong Kong, United States. 

‍

‍

CVE-2021-20123: Directory Traversal

• Activity in the past 24 hours. 
• 23 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore. 

‍

‍

CVE-2021-20124: Directory Traversal

• Activity in the past 24 hours. 
• 22 IPs observed in the past 30 days.
• Top destination countries by sessions in the past week: Lithuania, United States, Singapore.

‍

‍

GreyNoise will continue to monitor in-the-wild activity related to DrayTek devices. Explore the GreyNoise Visualizer for the latest activity. 

‍

Read the SecurityWeek report detailing the reboots. 

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}‍

Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813, a newly disclosed vulnerability that, if successfully exploited, could enable remote code execution (RCE). GreyNoise has identified multiple IPs engaging in this activity across multiple regions. 

Fortunately, GreyNoise can confirm exploit traffic is currently limited to naive attackers utilizing PoC code.

We created a new CVE-2025-24813 tag to help defenders track this activity. 

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

Active Exploitation Detected

‍GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025. Attackers are leveraging a partial PUT method to inject malicious payloads, potentially leading to arbitrary code execution on vulnerable systems. 

‍

Exploitation is already underway, with attack attempts spanning multiple countries. Given Apache Tomcat’s widespread deployment, these early signs of activity suggest more exploitation is likely to follow. 

Geographic Distribution 

Targeted Regions

The majority of exploit attempts targeted systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions directed at U.S.-based systems.

Attack Origin

GreyNoise observed exploitation attempts as early as March 11, though this activity is not reflected in the GreyNoise Visualizer. 

Within the visualizer, we first observed exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China. Notably, the Latvia-based IP showed no further activity after March 18, and the two IPs traced to Latvia and Italy are linked to a known VPN service. 

‍Today, GreyNoise observed another exploit attempt from the U.S.-based IP. Both IPs from China and the United States are not spoofable. 

‍

Mitigations & Recommendations 

To protect against CVE-2025-24813, organizations running affected versions of Apache Tomcat should:

• Apply the latest security patches immediately.
• Monitor for unexpected PUT requests in web server logs. 
• Deploy WAF rules to block malicious payloads. 
• Use GreyNoise to track real-time exploitation activity and block malicious IPs. 

‍Organizations should immediately assess their Apache Tomcat deployments and apply patches to mitigate potential RCE risks. 

GreyNoise is actively tracking this activity in real time — defenders can access our latest intelligence to block malicious IPs.

‍

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities: 

• CVE-2024-4879 (Critical)
• CVE-2024-5217 (Critical)
• CVE-2024-5178 (Medium)

All three vulnerabilities have seen attacker interest in the past 24 hours. 

Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours. 

These vulnerabilities reportedly may be chained together for full database access.

‍

Notable Increase in Attacker Interest

GreyNoise has recorded the highest number of unique IPs targeting these vulnerabilities in the past month. The number of threat IPs observed in the past 24 hours — with unique IPs in the past 30 days — is as follows: 

‍

CVE-2024-5178 (ServiceNow Input Validation)

• 36 threat IPs in Past 24hrs 

‍

This vulnerability is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

‍

‍

CVE-2024-4879 (ServiceNow Template Injection)

• 48 threat IPs in Past 24hrs

‍

‍

CVE-2024-5217 (ServiceNow Input Validation)

• 48 threat IPs in Past 24hrs 

‍

‍

‍

Recommended Defensive Actions

Organizations using ServiceNow should take the following steps immediately: 

• Apply Security Patches: Ensure all affected ServiceNow instances are updated with the latest security fixes.
• Restrict Access: Limit exposure of management interfaces to prevent unauthorized access.
• Monitor Trends: Use GreyNoise to track activity related to these vulnerabilities. 

GreyNoise will continue monitoring this evolving situation and provide real-time intelligence on observed activity. Leverage the GreyNoise Visualizer to stay updated with the latest. 

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

‍

Update (March 12, 2025): New Evidence Suggests Attackers Are Mapping Infrastructure Before Exploitation

‍GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge on March 9, indicating attackers may be using Grafana as a foothold for deeper exploitation. While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks.

‍

Grafana path traversal vulnerabilities have in the past been used to access configuration files and internal network details. The timing of this activity, followed closely by SSRF exploitation, suggests attackers may be using reconnaissance techniques to identify high-value targets before launching further attacks. While the direct relationship between these events remains unconfirmed, the pattern aligns with potentially more coordinated activity than initially reported.

‍

What This Means for Defenders

• If attackers are systematically mapping infrastructure before exploitation, defenders should identify and disrupt this early-stage activity. 
• Monitoring for reconnaissance behaviors, such as path traversal attempts, may provide early warning signs before full-scale exploitation occurs. 
• Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. 

GreyNoise will continue tracking this activity and providing updates if new patterns emerge.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

‍

GreyNoise Detects Unusual SSRF Exploitation Trends Across Multiple CVEs

Key Takeaways

• On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. 
• At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. 
• The top countries receiving SSRF exploitation attempts during the surge were the United States, Germany, Singapore, India, and Japan. 
• Israel saw SSRF exploitation activity as early as January, with renewed activity observed in this latest surge. 
• Historical parallels: SSRF vulnerabilities played a key role in the Capital One breach (2019), which exposed 100M+ records. 

‍

SSRF is a Major Target for Attackers For Good Reason

Among other things, attackers leverage SSRF for: 

• Cloud Exploitation: Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited. 
• Pivoting and Reconnaissance: SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials. 

‍

Recent SSRF Exploitation Trends

GreyNoise is flagging a sharp increase in SSRF exploitation occurring on March 9 across multiple Server-Side Request Forgery (SSRF) vulnerabilities: 

• ~ 400 unique IPs have been observed actively exploiting 10 SSRF-related CVEs.
• Many of the same IPs are targeting multiple SSRF vulnerabilities at once, rather than focusing on a single known vulnerability. 
• Unlike routine botnet noise, this pattern suggests structured exploitation, automation, or pre-compromise intelligence gathering. 

‍

Which CVEs Are Being Exploited? 

GreyNoise has identified active exploitation attempts against the following flaws. Click on the links to see real-time exploitation activity and block malicious IPs.

‍

Historical SSRF Exploitation by Destination Country

GreyNoise has identified the following ten countries as having the greatest exploitation activity in the past 6 months across all reported SSRF flaws: 

‍

‍

Additional countries seeing early SSRF exploitation, with spikes dating back to December 2024, are: Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia.

‍

SSRF Exploitation in Past 24 Hours Limited to Israel and The Netherlands

Only two countries have been targeted in the past 24 hours:

‍

Recommendations for Defenders 

Organizations should take immediate steps to ensure they are not exposed: 

• Patch and Harden Affected Systems 
  
  • Review patches for the targeted CVEs and apply mitigations where available. 
• Restrict Outbound Access Where Possible
  
  • Limit outbound connections from internal apps to only necessary endpoints. 
• Monitor for Suspicious Outbound Requests
  
  • Set up alerts for unexpected outbound requests.
• Block Malicious IPs using GreyNoise Block and stay up to date on activity using the GreyNoise Visualizer links below

‍

‍

‍

‍

‍

‍

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.} 

‍

Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally.

‍

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

Attack Overview

According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:

• Initial Access: Exploitation via PHP-CGI vulnerability using HTTP POST requests with MD5 hash e10adc3949ba59abbe56e057f20f883e as a success marker.
• Payloads: PowerShell scripts fetching Cobalt Strike reverse HTTP shellcode (e.g., http://38[.]14[.]255[.]23:8000/payload.ps1).
• C2 Infrastructure: Servers 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba Cloud, with HTTP User-Agent strings mimicking legacy Internet Explorer versions.

‍

GreyNoise Observations

‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. 

‍

‍

GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone. While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:

‍

‍

More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China. 

‍

In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.

‍

‍

Guidance for Defenders

Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns.

Identify and block malicious IPs actively targeting CVE-2024-4577. 

Read the Cisco Talos report here.

Key Takeaways

• GreyNoise has detected active exploitation by more than 90 unique threat IPs in the past 24 hours across CVEs linked to the Chinese cyber espionage group, Silk Typhoon (HAFNIUM). 
• GreyNoise is not attributing this activity to Silk Typhoon. Rather, we have identified active exploitation of CVEs that have been linked to Silk Typhoon’s operations in prior campaigns. 
• CVE-2021-26855, CVE-2021-44228 (Log4Shell), and CVE-2024-3400 are being actively targeted by threat actors. 
• GreyNoise’s observations come just one day after Microsoft reported Silk Typhoon’s shift to IT supply chain targeting.
• On Wednesday, U.S. authorities reportedly charged alleged Silk Typhoon operatives in a hacker-for-hire scheme, paying up to $75,000 per compromised inbox. 
• The findings come as U.S. policymakers escalate scrutiny of Chinese cyber threats, with the House Select Committee on the Chinese Communist Party (CCP) holding a hearing on March 5, the same day Microsoft released its report, on the growing risks posed by Chinese state-sponsored hacking. 

‍

GreyNoise Confirms Exploitation in the Wild

‍GreyNoise analyzed CVEs linked to Silk Typhoon and found three actively exploited in the past 24 hours:

• CVE-2021-26855 – An Exchange ProxyLogon SSRF vulnerability.
• CVE-2021-44228 – The Log4Shell vulnerability, a critical Apache Log4j RCE. 
• CVE-2024-3400 – A PAN-OS GlobalProtect RCE. 

‍

GreyNoise Observations: Active Exploitation in the Past 24 Hours

‍GreyNoise’s Global Observation Grid (GOG) confirms exploitation of these CVEs in the past 24 hours. The heatmap below shows activity over the past 45 days, and the following data reflects the last 30 days. 

‍

‍

CVE-2021-26855 (ProxyLogon SSRF)

‍

Top 3 Source Countries

• Singapore
• France
• United States

Top 3 Behaviors of Exploiting IPs

• ProxyLogon SSRF Attempt
• ADB Attempt
• Web Crawler

IP Count

• 52 (Past 24 Hours)
• 2,199 (Past 30 Days)

‍

‍

CVE-2021-44228 (Log4Shell RCE)

‍

Top 3 Source Countries

• United States 
• Iran 
• India

Top 3 Behaviors of Exploiting IPs

• Apache Log4j RCE Attempt
• Web Crawler
• TLS/SSL Crawler

IP Count

• 31 (Past 24 Hours)
• 453 (Past 30 Days)

‍

‍

CVE-2024-3400 (PAN-OS GlobalProtect RCE)

‍

Top 3 Source Countries

• United States 
• Singapore 
• Germany

Top 3 Behaviors of Exploiting IPs

• Palo Alto PAN-OS CVE-2024-3400 RCE Attempt
• Generic Path Traversal Attempt
• Web Crawler

IP Count

• 10 (Past 24 Hours)
• 164 (Past 30 Days)

‍

‍

Recommended Actions

• ‍Apply Patches Promptly – Ensure that all affected systems are updated to remediate CVE-2021-26855, CVE-2021-44288, and CVE-2024-3400.
• ‍Monitor GreyNoise Intelligence – Use GreyNoise tags and filtering to detect and block IPs engaged in malicious activity related to these CVEs. 
• ‍Reduce Exposure – 
  • Disable unnecessary internet-facing services. 
  • Implement strong authentication (such as MFA) on all accessible systems.
  • Segment networks to restrict lateral movement in case of compromise. 

‍

GreyNoise will continue to monitor the threat landscape and provide insights on evolving attacker tactics. Explore the GreyNoise Visualizer.

‍

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

––– ––– ––– 

‍

‍^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.} 

‍