Just Released! Β Β GreyNoise 2026 State Of The Edge Report
.png){kind=spacer}
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: March 23-30, 2026
A 22-CVE botnet recruitment platform, a coordinated scanner fleet mapping enterprise perimeter defenses, and vulnerability chaining in the React/Next.js campaign mark a week defined by specialization across the exploitation supply chain.
β
β
Four source IPs from AS215925 collectively exploit 22+ vulnerabilities targeting Hikvision cameras, MikroTik routers, TP-Link devices, D-Link NAS, and consumer DVRs. Combined 3,347,443 sessions in a systematic botnet recruitment operation including Generic IoT Default Password Attempt activity.
β
Six AWS-hosted IPs sharing identical fingerprints and rDNS (scan.visionheight[.]com) mapped management interfaces across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise platforms. 5,892,055 combined sessions checking for authentication bypass vulnerabilities including Palo Alto Networks Login Scanner.
β
CVE-2025-55182 (CVSS 10.0) now chained with Next.js CVE2025-29927 (CVSS 9.1), defeating both authentication and application security layers in a single operation. 1,338,336 sessions in week 14 via React Server Components CVE-2025- 55182 RCE Attempt.
β
Daily sessions quadrupled from 8.5M to 36.6M between Tuesday and Thursday as at least four independent scanning operations β including ICS/SCADA protocol reconnaissance β activated new infrastructure simultaneously.
β
.png)
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: March 23-30, 2026
A 22-CVE botnet recruitment platform, a coordinated scanner fleet mapping enterprise perimeter defenses, and vulnerability chaining in the React/Next.js campaign mark a week defined by specialization across the exploitation supply chain.
β
β
Four source IPs from AS215925 collectively exploit 22+ vulnerabilities targeting Hikvision cameras, MikroTik routers, TP-Link devices, D-Link NAS, and consumer DVRs. Combined 3,347,443 sessions in a systematic botnet recruitment operation including Generic IoT Default Password Attempt activity.
β
Six AWS-hosted IPs sharing identical fingerprints and rDNS (scan.visionheight[.]com) mapped management interfaces across Palo Alto, Sophos, Ivanti, Citrix, F5, and ConnectWise platforms. 5,892,055 combined sessions checking for authentication bypass vulnerabilities including Palo Alto Networks Login Scanner.
β
CVE-2025-55182 (CVSS 10.0) now chained with Next.js CVE2025-29927 (CVSS 9.1), defeating both authentication and application security layers in a single operation. 1,338,336 sessions in week 14 via React Server Components CVE-2025- 55182 RCE Attempt.
β
Daily sessions quadrupled from 8.5M to 36.6M between Tuesday and Thursday as at least four independent scanning operations β including ICS/SCADA protocol reconnaissance β activated new infrastructure simultaneously.
β
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
