Now Live! Β Β Project Swarm: Join the Collective. Defend the Edge
.png){kind=spacer}
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: June 15 to June 23, 2026
GreyNoise is not attributing this activity to FortiBleed; the brute-force it tracked stood down in early June. Also this week: a German-hosted source harvesting application secrets, and broadening Hikvision camera targeting.
β
β
Amid FortiBleed, GreyNoise is providing telemetry on the same Fortinet surfaces the reporting names, without attributing the activity at this time. A Fortinet SSL VPN brute-force GreyNoise tracked for months stood down in early June, and exploitation of the named vulnerabilities is minimal. Reset Fortinet credentials and enforce MFA per CISA guidance.
Distinct sources brute-forcing Cisco SSL VPN portals jumped to 3,645 on June 23, from double digits a week earlier. A subset also hit other vendors' VPN logins, so MFA and account lockout belong on every VPN edge, not just Cisco.
A German-hosted source is harvesting application secrets, probing Laravel CVE-2024-29291 and TeleMessage CVE-2025-48927 (/heapdump, CISA KEV) alongside heavy scanning for exposed .env, Git, AWS, and Spring Boot Actuator files. The focus points to deliberate harvesting, not opportunistic crawling.
Scanning for the Hikvision /SDK/webLanguage endpoint (CVE-2021-36260, CISA KEV) broadened across new and returning Netherlands-hosted sources. Treat any exposed Hikvision device answering these probes as potentially vulnerable.
β
β
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
β
β
β
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: June 15 to June 23, 2026
GreyNoise is not attributing this activity to FortiBleed; the brute-force it tracked stood down in early June. Also this week: a German-hosted source harvesting application secrets, and broadening Hikvision camera targeting.
β
β
Amid FortiBleed, GreyNoise is providing telemetry on the same Fortinet surfaces the reporting names, without attributing the activity at this time. A Fortinet SSL VPN brute-force GreyNoise tracked for months stood down in early June, and exploitation of the named vulnerabilities is minimal. Reset Fortinet credentials and enforce MFA per CISA guidance.
Distinct sources brute-forcing Cisco SSL VPN portals jumped to 3,645 on June 23, from double digits a week earlier. A subset also hit other vendors' VPN logins, so MFA and account lockout belong on every VPN edge, not just Cisco.
A German-hosted source is harvesting application secrets, probing Laravel CVE-2024-29291 and TeleMessage CVE-2025-48927 (/heapdump, CISA KEV) alongside heavy scanning for exposed .env, Git, AWS, and Spring Boot Actuator files. The focus points to deliberate harvesting, not opportunistic crawling.
Scanning for the Hikvision /SDK/webLanguage endpoint (CVE-2021-36260, CISA KEV) broadened across new and returning Netherlands-hosted sources. Treat any exposed Hikvision device answering these probes as potentially vulnerable.
β
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
β
β
β
