Just Released! Β Β Ten Days Before Zero: How Activity Surges in GreyNoise Data Precede Vulnerability Disclosure
.png){kind=spacer}
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: May 11 - 18, 2026
SonicWall VPN targeting reversed course after a documented 92.9% decline, with coordinated credential attacks and management API scanning making SonicWall the most targeted single-vendor perimeter product this week at 72.2% of all enterprise VPN sessions. This session spike matches early warning indicators from GreyNoise Ten Days Before Zero research β a pattern that has preceded new SonicWall vulnerability disclosures by a median of 11 days. A coordinated VNC scanning campaign probed non-standard ports with per-target intensity far exceeding typical reconnaissance. Two independent infrastructure clusters converged on ConnectWise ScreenConnect and enterprise remote access products globally β without coordination.
β
β
After weeks of documented decline, SonicWall is back as the dominant VPN target β API scanning and credential attacks hit simultaneously at a near 1:1 ratio, accounting for 72.2% of enterprise VPN-targeted activity. This resurgence exhibits multiple early warning indicators from the GreyNoise Ten Days Before Zero framework β patterns that have preceded new SonicWall disclosures by a median of 11 days.
β
A coordinated three-IP cluster probed non-standard VNC ports 5902β5910 with per-target intensity far exceeding typical scanning β targeting configurations that most organizations don't monitor. VNC receives less defensive attention than RDP or SSH, which is exactly why it's being targeted.
β
A Netherlands-based cluster and an AWS-hosted platform independently target CVE-2024-1709 (CVSS 10.0) globally. Independent convergence on the same vulnerability β from separate infrastructure and tooling β signals ScreenConnect has become a consensus high-value target.
β
Default credential attacks continued at elevated baseline levels. Realtek CVE-2014-8361 remains the most broadly weaponized IoT vulnerability β integrated into 15 botnets with 6,219 malicious IPs active in the last ten days.
β
β
β
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: May 11 - 18, 2026
SonicWall VPN targeting reversed course after a documented 92.9% decline, with coordinated credential attacks and management API scanning making SonicWall the most targeted single-vendor perimeter product this week at 72.2% of all enterprise VPN sessions. This session spike matches early warning indicators from GreyNoise Ten Days Before Zero research β a pattern that has preceded new SonicWall vulnerability disclosures by a median of 11 days. A coordinated VNC scanning campaign probed non-standard ports with per-target intensity far exceeding typical reconnaissance. Two independent infrastructure clusters converged on ConnectWise ScreenConnect and enterprise remote access products globally β without coordination.
β
β
After weeks of documented decline, SonicWall is back as the dominant VPN target β API scanning and credential attacks hit simultaneously at a near 1:1 ratio, accounting for 72.2% of enterprise VPN-targeted activity. This resurgence exhibits multiple early warning indicators from the GreyNoise Ten Days Before Zero framework β patterns that have preceded new SonicWall disclosures by a median of 11 days.
β
A coordinated three-IP cluster probed non-standard VNC ports 5902β5910 with per-target intensity far exceeding typical scanning β targeting configurations that most organizations don't monitor. VNC receives less defensive attention than RDP or SSH, which is exactly why it's being targeted.
β
A Netherlands-based cluster and an AWS-hosted platform independently target CVE-2024-1709 (CVSS 10.0) globally. Independent convergence on the same vulnerability β from separate infrastructure and tooling β signals ScreenConnect has become a consensus high-value target.
β
Default credential attacks continued at elevated baseline levels. Realtek CVE-2014-8361 remains the most broadly weaponized IoT vulnerability β integrated into 15 botnets with 6,219 malicious IPs active in the last ten days.
β
β
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
