.png)
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: July 06 to July 13, 2026
Late in the week, GreyNoise's early-warning detection flagged validated spikes against FortiOS SSL VPN, Cisco SSL VPN, Ivanti EPMM, and NETGEAR devices; elevations of this kind have historically preceded new vendor vulnerability disclosures. Beneath them, a single host ran file-inclusion exploitation and coordinated /24 blocks brute-forced RouterOS and RDP for credentials, almost all on short-lived rented hosting. The durable signal was behavioral: shared client fingerprints and hosting blocks, not rotating IP addresses.
β
β
GreyNoise's early-warning detection flagged validated late-week spikes against FortiOS SSL VPN (CVE-2018-13379, a CISA KEV), Cisco SSL VPN, Ivanti EPMM, and NETGEAR. Elevations of this kind have historically preceded new vulnerability disclosures or renewed exploitation affecting the same vendor. Confirm patch status and reduce exposure on these devices now.
β
One DIGI VPS host (103.168.66.158) generated high exploitation volume, running Generic Path Traversal at scale alongside ThinkPHP (CVE-2022-47945, CVSS 9.8), Joomla, and Linear eMerge file-inclusion exploits, a direct route to code execution. Tracking routes to code execution is often more valuable than tracking individual CVEs, because attackers frequently chain multiple weaknesses together to reach RCE.
β
Two VPSVAULT hosts on 45.198.224.0/24 ran roughly 665,000 RouterOS Bruteforcer attempts against the MikroTik management API on TCP/8728, about 84 percent of that activity corpus-wide. No CVE is involved; this is pure valid-credential discovery against a control surface often left internet-facing.
β
Nine hosts on 91.238.181.0/24 (FBW NETWORKS) ran coordinated RDP scanning and brute-force in lockstep; the lead host alone targeted United States and Canada. The coordination signal is the shared /24 and uniform behavior, not a fingerprint, and the dense, evenly-loaded /24 is consistent with initial-access preparation.
β
β
β
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
β
β
β
β
β
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: July 06 to July 13, 2026
Late in the week, GreyNoise's early-warning detection flagged validated spikes against FortiOS SSL VPN, Cisco SSL VPN, Ivanti EPMM, and NETGEAR devices; elevations of this kind have historically preceded new vendor vulnerability disclosures. Beneath them, a single host ran file-inclusion exploitation and coordinated /24 blocks brute-forced RouterOS and RDP for credentials, almost all on short-lived rented hosting. The durable signal was behavioral: shared client fingerprints and hosting blocks, not rotating IP addresses.
β
β
GreyNoise's early-warning detection flagged validated late-week spikes against FortiOS SSL VPN (CVE-2018-13379, a CISA KEV), Cisco SSL VPN, Ivanti EPMM, and NETGEAR. Elevations of this kind have historically preceded new vulnerability disclosures or renewed exploitation affecting the same vendor. Confirm patch status and reduce exposure on these devices now.
β
One DIGI VPS host (103.168.66.158) generated high exploitation volume, running Generic Path Traversal at scale alongside ThinkPHP (CVE-2022-47945, CVSS 9.8), Joomla, and Linear eMerge file-inclusion exploits, a direct route to code execution. Tracking routes to code execution is often more valuable than tracking individual CVEs, because attackers frequently chain multiple weaknesses together to reach RCE.
β
Two VPSVAULT hosts on 45.198.224.0/24 ran roughly 665,000 RouterOS Bruteforcer attempts against the MikroTik management API on TCP/8728, about 84 percent of that activity corpus-wide. No CVE is involved; this is pure valid-credential discovery against a control surface often left internet-facing.
β
Nine hosts on 91.238.181.0/24 (FBW NETWORKS) ran coordinated RDP scanning and brute-force in lockstep; the lead host alone targeted United States and Canada. The coordination signal is the shared /24 and uniform behavior, not a fingerprint, and the dense, evenly-loaded /24 is consistent with initial-access preparation.
β
β
β
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
β
β
β
β
β
β