Blog
>
Threat Signals

Threat Signals

Actionable intelligence on real-world threats as they unfold. Get insights into attacker behavior, infrastructure, exploitation of zero-days and n-days, temporal pattern, and geographic hotspots — all sourced from GreyNoise’s Global Observation Grid (GOG). Stay ahead of emerging threats, block malicious IPs, and understand what’s happening in the moment.
Threat Signals

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4. 

We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer. 

Key Observations

  • First observed activity: June 23, 2025
  • PoC released: July 4, 2025
  • GreyNoise tag published: July 7, 2025
  • CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition) 

TRACK MALICIOUS IPS BLOCK MALICIOUS IPS

Targeted Behavior 

Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting. 

CISA Confirmation 

On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog. 

Recommended Actions

Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts. 

TRACK MALICIOUS IPS BLOCK MALICIOUS IPS

The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.

GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

Noah Stone
Jul 16, 2025
All Posts
Threat Signals
Research
Insights
Product
Company
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Company
Product
GreyNoise Research
Threat Signals
Insights
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | September 2 - 13

New Tags

MongoDB Crawler  [Intention: Unknown]

Apple iOS Lockdownd Crawler [Intention: Unknown]

HTTP Request Smuggling [Intention: Malicious]

  • This IP address has been observed attempting to smuggle HTTP requests, a method commonly used to bypass load balancer or proxy security restrictions.
  • Sources: PortSwigger, JFrog
  • See it on GreyNoise Viz

Gh0st RAT Crawler  [Intention: Malicious]

  • This IP address has been observed checking for the existence of hosts infected with Gh0st trojan.
  • Sources: RSA Community, norman.no
  • See it on GreyNoise Viz

nJRAT Crawler  [Intention: Malicious]

Supervisor XML-RCE Attempt  [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2017-11610, a remote command execution vulnerability in Supervisor client/server.
  • Sources: NIST, Supervisor
  • See it on GreyNoise Viz

New Actor Tag

BLEXbot [Intention: Benign]

Supriya Mazumdar
Sep 13, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | August 16 - September 1

New Tags

Atlassian Confluence Server OGNL Injection Attempt [Intention: Malicious]

  • CVE-2021-26084
  • This IP address has been observed attempting to exploit CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
  • Sources: GitHub (1, 2), MITRE
  • See it on GreyNoise Viz

Atlassian Confluence Server OGNL Injection Vuln Check [Intention: Unknown]

  • CVE-2021-26084
  • This IP address has been observed checking for the existence of CVE-2021-26084, an OGNL injection vulnerability in Confluence Server and Data Center.
  • Sources: GitHub (1, 2), MITRE
  • See it on GreyNoise Viz

Oracle WebLogic RCE CVE-2021-2109 [Intention: Malicious]

Seagate BlackArmor RCE Attempt [Intention: Malicious]

ASUS GT-AC2900 Auth Bypass Attempt [Intention: Malicious]

  • CVE-2021-32030
  • This IP address has been observed attempting to exploit CVE-2021-32030, an authentication bypass in ASUS GT-AC2900 routers.
  • Sources: MITRE, Atredis
  • See it on GreyNoise Viz

Apache SkyWalking GraphQL SQL Injection  [Intention: Malicious]

  • CVE-2020-9483
  • This IP address has been observed attempting to exploit CVE-2020-9483, a SQL injection vulnerability in Apache SkyWalking via GraphQL.
  • Sources: GitHub, NVD
  • See it on GreyNoise Viz

Carries HTTP Referer [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that includes the Referer header in its requests.
  • Sources: Firefox
  • See it on GreyNoise Viz

Stores HTTP Cookies  [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that supports storing Cookies.
  • Sources: Firefox (1, 2)
  • See it on GreyNoise Viz

Follows HTTP Redirects  [Intention: Unknown]

  • This IP address has been observed scanning the internet with an HTTP client that follows redirects defined in a Location header.
  • Sources: Firefox
  • See it on GreyNoise Viz

RSYNC Crawler  [Intention: Unknown]

New Actor Tag

University of Michigan [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

ADB Check [Intention: Unknown]

  • This IP address has been observed checking for the existence of the Android Debug Bridge protocol.
  • See it on GreyNoise Viz

ADB Attempt [Intention: Malicious]

  • This IP address has been observed checking for the existence of the Android Debug Bridge protocol and has requested interactivity.
  • See it on GreyNoise Viz

EDITORS NOTE: This blog post has been updated as of Sep. 2 to reflect edits to the Atlassian Confluence Server OGNL Injection tags.

The GreyNoise Team
Sep 2, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | August 2 - 16

New Tags

Tag: Exchange ProxyShell Vuln Attempt [Intention: Malicious]

Tag: Exchange ProxyShell Vuln Check [Intention: Unknown]

  • CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
  • This IP address has been observed checking for the existence of the ProxyShell vulnerability in Microsoft Exchange, an activity which commonly leaks sensitive information.
  • Sources: Medium, BlackHat, y4y.space
  • See it on GreyNoise Viz

Tag: Javascript Enabled [Intention: Unknown]

  • This IP address has been observed scanning the internet with a client that supports javascript, such as a web browser controlled through automation.
  • See it on GreyNoise Viz

Tag: Aerospike RCE Attempt [Intention: Malicious]

  • CVE-2020-13151
  • This IP address has been observed attempting to exploit CVE-2020-13151, a remote command execution in Aerospike databases.
  • Sources: NIST, GitHub [1, 2]
  • See it on GreyNoise Viz

Tag: Docker API Container Creation Attempt [Intention: Malicious]

Tag: Buffalo Router RCE Check [Intention: Unknown]

  • CVE-2021-20091
  • This IP address has been observed attempting to discover Buffalo routers susceptible to remote command injection through path traversal.
  • Sources: Tenable, MITRE
  • See it on GreyNoise Viz

Tag: Buffalo Router RCE Attempt [Intention: Malicious]

  • CVE-2021-20091
  • This IP address has been observed attempting to exploit Buffalo routers susceptible to remote command injection through path traversal.
  • Sources: Tenable, MITRE
  • See it on GreyNoise Viz

Tag: FirebirdSQL Crawler [Intention: Unknown]

Tag: Ruijie EG Command Injection Attempt [Intention: Malicious]

  • This IP address has been observed attempting command injection on Ruijie network devices with Easy Gateway support.
  • Sources: peiqi.tech
  • See it on GreyNoise Viz

Recent Actor Tag

  • Cortex® Xpanse™ [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: X Server Connection Attempt [Intention: Malicious]

  • This IP address has been observed scanning the Internet for X11 servers with access control disabled, which allows for unauthenticated connections.
  • See it on GreyNoise Viz

Tag: ADB Worm [Intention: Malicious]

Removed Tags

Supriya Mazumdar
Aug 16, 2021
Threat Signals

GreyNoise Identifies Vulnerability Checks of Exchange ProxyShell (CVE-2021-34473)

During BlackHat 2021, security researcher Orange Tsai demonstrated a proof-of-concept exploit for Microsoft Exchange vulnerabilities, including a Pre-auth Path Confusion leading to Access-Control List (ACL) bypass (tracked as CVE-2021-34473, also called ProxyShell). Since Tsai’s talk, multiple researchers have published write-ups about the vulnerabilities [1, 2]. GreyNoise had not observed any mass scanning activity until Aug. 9, and has seen a significant uptick in scanning as of Thursday, Aug. 12. GreyNoise has created two tags to track activity related to these vulnerabilities.

Figure 1: ProxyShell activity as seen by GreyNoise over time

Exchange ProxyShell Vuln Check: The vulnerability check for CVE-2021-34473 has several public variations. These include checking for access to /mapi/nspi which results in exposure of potentially sensitive information such as Version, User, UPN, SID, and Organization. Out of caution, GreyNoise tags this as malicious intent despite being a Vuln Check. [View In GreyNoise]

Exchange ProxyShell Vuln Attempt: Active attempts that leverage and chain the Pre-Auth Path Confusion for further exploitation through Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523) or Post-auth Arbitrary-File-Write leading to remote code execution (CVE-2021-31207) are included in this tag. [View In GreyNoise]

Editor's Note: If either of these tags, or any tags for that matter, return "no results," this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.

The GreyNoise Team
Aug 13, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | July 19 - August 2

New Tags

CVE-2009-0545, CVE-2019-12725, CVE-2020-29390

Tag: Zeroshell RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit a remote command execution vulnerability in Zeroshell.
  • Sources: NIST [1, 2, 3]
  • See it on GreyNoise Viz

Tag: Cisco Smart Install RCE Attempt [Intention: Malicious]

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Vuln Check [Intention: Unknown]

  • This IP address has been observed checking for the existence of CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM which can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-35464

Tag: ForgeRock OpenAM Pre-Auth RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-35464, a path traversal vulnerability in ForgeRock OpenAM that can lead to RCE.
  • Sources: PortSwigger, NIST
  • See it on GreyNoise Viz

CVE-2021-33544 to CVE-2021-33544 (11 CVEs)

Tag: UDP Technology IP Camera Attempt [Intention: Malicious]

CVE-2021-33544, CVE-2021-33548, CVE-2021-33550 to CVE-2021-33554

Tag: UDP Technology IP Camera Check [Intention: Unknown]

CVE-2017-12149

Tag: Jboss Application Server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2017-12149, a remote code execution vulnerability in JBoss Application Server.
  • Sources: NIST, GitHub
  • See it on GreyNoise Viz

CVE-2021-30497

Tag: Ivanti Avalanche Path Traversal [Intention: Malicious]

  • This IP address has been observed attempting to use CVE-2021-30497, a path traversal vulnerability in Ivanti Avalanche that could lead to arbitrary file retrieval.
  • Sources:  Ivanti, SSD Disclosure
  • See it on GreyNoise Viz

Tag: Double URL Encoding [Intention: Malicious]

  • This IP address has been observed requesting double encoded URLs, a method commonly used for bypassing defensive rules and directory traversal.
  • Sources:  OWASP, Imperva
  • See it on GreyNoise Viz

Tag: Apache OFBiz Deserialization RCE [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-29200, a deserialization vulnerability in Apache OFBiz 17.12.07 and earlier that can lead to unauthenticated RCE.
  • Sources:  NIST, xz.aliyun.com
  • See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • RDP Bruteforcer
  • Windows RDP Cookie Hijacker
  • RDP Scanner

Multiple RDP tags have been deprecated in favor of RDP Crawler, which more accurately accounts for much of the behavior we see. We are currently working to create more accurate and narrowly scoped tags for RDP scanning and exploitation.

The RDP Bruteforcer tag was created around the same time as BlueKeep and aggressively assigned `malicious` intent to basic RDP connection attempts. After re-evaluating this, we feel this was incorrect and have taken actions to improve our RDP tags in general.

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Cisco Smart Install Endpoint Scanner [Intention: Unknown]

Tag: Linksys E-Series TheMoon Worm [Intention: Malicious]

Integrations

Anomali: Now supports RIOT and the Community API.

Supriya Mazumdar
Aug 2, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Roundup | June 21 - July 16

New Tags

CVE-2020-36289

Tag: Jira User Enumeration Attempt [Intention: Unknown]

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Attempt [Intention: Malicious]

CVE-2021-1497, CVE-2021-1498

Tag: Cisco HyperFlex HX RCE Vuln Check [Intention: Unknown]

CVE-2020-35846, CVE-2020-35847, CVE-2020-35848

Cockpit CMS Command Injection [Intention: Malicious]

Recent Actor Tag

  • CISA [Intention: Benign]

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • ZeroShell RCE CVE-2009-0545
Supriya Mazumdar
Jul 18, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | June 7 - 18

New Tags

CVE-2020-25494

Tag: SCO OpenServer RCE Attempt [Intention: Malicious]

CVE-2021-22911

Tag: Rocket.Chat server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit CVE-2021-22911, a remote command execution vulnerability in Rocket.Chat server.
  • Sources: NIST, @CsEnox (GitHub )
  • See it on GreyNoise Viz

Tag: Vesta Control Panel RCE Attempt [Intention: Malicious]

CVE-2021-27144/46 | CVE-2021-27148/55 | CVE-2021-27158/59 | CVE-2021-27162/66 | CVE-2021-27168/69 | CVE-2021-27172

Tag: FiberHome Telnet Backdoor [Intention: Malicious]

  • This IP address has been observed attempting to authenticate via telnet using one of several known backdoor accounts in FiberHome routers.
  • Sources: Pierre Kim
  • See it on GreyNoise Viz

Tag: LokiBot C2 Crawler [Intention: Unknown]

  • This IP address has been observed crawling the Internet and attempting to discover LokiBot C2 nodes.
  • Sources: CISA
  • See it on GreyNoise Viz

Tag: Aerospike Crawler [Intention: Unknown]

Recent Actor Tag

  • ESET  [Intention: Benign]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Tomcat Manager Scanner [Intention: Unknown]

Supriya Mazumdar
Jun 20, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | May 24 - June 4

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

Recent Actor Tag

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

  • Swedish Defense Research Agency (FOI)
  • Elasticsearch Worm
Supriya Mazumdar
Jun 4, 2021
Threat Signals
GreyNoise Research

GreyNoise Tag Round Up | May 10 - 21

New Tags

CVE-2021-26912 | CVE-2021-26913 | CVE-2021-26914 | CVE-2021-26915

Tag: NetMotion Mobility Server RCE Attempt [Intention: Malicious]

  • This IP address has been observed attempting to exploit a deserialization vulnerability in NetMotion Mobility Server that can lead to remote code execution.
  • Sources: NIST [1, 2 , 3, 4], SSD Disclosure
  • See it on GreyNoise Viz

CVE-2021-21402

Tag: Jellyfin File Disclosure [Intention: Malicious]

CVE-2021-28799

Tag: QNAP walter SSH Backdoor Attempt [Intention: Malicious]

  • This IP address has been observed attempting to connect using the username and password 'walter,' which are hardcoded backdoor SSH credentials that exist in some QNAP devices.
  • Source: QNAP, QNAP Forum
  • See it on GreyNoise Viz

CVE-2021-30461

Tag: VoIPmonitor Unauthenticated RCE Attempt  [Intention: Malicious]

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: RDP Bruteforcer [Intention: Malicious]

  • This IP address has been observed attempting to brute-force Microsoft Remote Desktop credentials.
  • Source: Microsoft [1, 2]
  • See it on GreyNoise Viz

Recent Integrations

Rapid 7 InsightConnect: Supports Enterprise API and Community API access.

CORTEX XSOAR: Supports Enterprise API and Community API access.

The GreyNoise Team
May 21, 2021

No blog articles found

Please update your search term or select a different category and try again.

Get started today

Get a demoSearch for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it