Provides key insights into attacker trends, exploited vulnerabilities and actionable defenses in its 2025 Mass Internet Exploitation Report
Washington, DC – February, 27, 2025 – GreyNoise Intelligence, the cybersecurity company providing real-time, verifiable threat intelligence into internet scanning and exploitation, today released “GreyNoise 2025 Mass Internet Exploitation Report,” its third annual report for the international cybersecurity defense community. This report provides key insights into attacker trends, exploited vulnerabilities and actionable defenses, based on an enormous research effort on the most significant internet software vulnerabilities of 2024.
“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.”
With a global network of nearly 4,000 sensors in over 200 countries, GreyNoise observes, analyzes, and labels data firsthand on Internet Protocol (IP) addresses that scan and attack the internet every day. By tracking hundreds of millions of events per day, GreyNoise provides security teams with active, real-time data on In-The-Wild (ITW) exploitation. This unique data serves as an early warning system for mass exploitation attacks on the internet, and is one of the most compelling evidence points to consider when determining the best course of defense against a specific vulnerability. GreyNoise also provides real-time IP block lists for security teams, along with the necessary context to quickly eliminate noisy alerts and rule out events from common business services.
In 2024, GreyNoise created 573 new tags, covering 394 Common Vulnerabilities and Exposures (CVEs). Of these tags, 84 aligned with the Known Exploited Vulnerabilities (KEV) Catalog published by Cybersecurity and Infrastructure Security Agency (CISA). GreyNoise observed multiple CVEs showing signs of exploitation before being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence.
Key findings from the GreyNoise report include:
- The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in global cyberattacks.
- 40% of exploited vulnerabilities in 2024 were from 2020 or earlier — some dating back to the 1990s. Meanwhile, attackers are exploiting vulnerabilities within hours of disclosure, making real-time defense more critical than ever.
- Ransomware groups leveraged 28% of the CVEs in CISA’s Known Exploited Vulnerabilities catalog that GreyNoise tracked in 2024.
- A surge in May 2024 was traced to 12,000+ hacked Android devices, showing mobile threats are growing.
- Hackers are hijacking home internet routers — including ISP-provided fiber modems — to build massive botnets and launch cyberattacks worldwide.
- D-Link and Ivanti devices were among the most heavily exploited in 2024, posing critical security risks for businesses and governments.
“Mass exploitation in 2024 was characterized by relentless automation, persistent targeting of legacy vulnerabilities, and the rapid weaponization of new exposures,” said Bob Rudis, Vice President of Data Science, GreyNoise Intelligence. “Organizations face an increasingly complex threat landscape where speed of detection and response is crucial, and those who fail to shift from reactive to proactive security postures will continue to be prime targets for both sophisticated threat actors and opportunistic operators. By leveraging the intelligence in this report, security teams can implement more targeted controls, prioritize patch deployment for actively exploited vulnerabilities, and make data-driven decisions about their security posture that align with real-world attack patterns rather than theoretical risks.”
To request a copy of “GreyNoise 2025 Mass Internet Exploitation Report,” please visit: https://www.greynoise.io/resources/2025-mass-internet-exploitation-report.
About GreyNoise Intelligence
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing real-time, verifiable perimeter-based threat intelligence. This allows security teams to reduce noise in security operations, perform in-depth threat hunting campaigns, and focus on the most critical threats to their network. Our patented sensor technology enables us to collect and analyze unique threat data at-scale that no one else can. We provide the most actionable threat intelligence against mass internet scanning and exploitation, so that no attack works twice. For more information, please visit https://www.greynoise.io/, and follow us on Twitter, Mastodon and LinkedIn.
