The most actionable intelligence
for perimeter threats

^{July 16, 2025}

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler.

^{July 9, 2025}

GreyNoise has identified a previously untracked variant of a scraper botnet, detectable through a globally unique network fingerprint.

^{June 25, 2025}

GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025.

‍

^{June 16, 2025}

‍On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. 

‍

^{June 10, 2025}

GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. Coordinated targeting indicates possible upcoming threats.

‍

^{May 28,2025}

GreyNoise discovers stealthy backdoor campaign affecting thousands of routers. Tactics consistent with those of APT actors.

‍

^{May 27, 2025}

‍GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. Targeted technologies included ColdFusion, Apache Struts, Elasticsearch, WebLogic, Tomcat, and more.

‍

‍

^{May 16, 2025}

Two critical Ivanti zero-days are now being actively exploited after a surge in scanning activity last month. Immediate patching is required.

^{May 6, 2025}

The 2025 Verizon DBIR shows a troubling trend, and edge technologies are at the forefront. Time-to-exploit on the edge is zero days; meanwhile, it takes more than one month to remediate these flaws — a significant window of opportunity for attackers.

‍

^{May 2, 2025‍}

GreyNoise has observed a sharp and sustained decline in suspicious opportunistic scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. From 20,000 to just over 100 unique IPs per day.

‍

^{April 23, 2025}

GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. We've previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities.

‍

^{April 23, 2025}

New GreyNoise research — attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities. What are they, what makes them uniquely dangerous, and what can defenders and policymakers do to protect their organizations?

^{April 7, 2025}

GreyNoise observes 3X surge in exploitation attempts against TVT DVRs — likely Mirai. Attackers could potentially use this flaw to gain full control of the DVR.

‍

^{April 1, 2025}

Heightened in-the-wild activity on key technologies observed on March 28. SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems targeted.

‍

^{March 20, 2025}

Attackers actively exploiting critical Apache Tomcat RCE vuln (CVE-2025-24813). 70% of traffic targeting U.S.-based systems.