NoiseLetter August 2025

Welcome back to the NoiseLetter, coming to you fresh from surviving BlackHat/DEF CON! 🎰 We made it out of Vegas with our dignity (mostly) intact and are packed with insights on early warning signals, vulnerability detection, and webinars to keep you at the top of your game! Let's dive into what the noise is telling us this month!

Bob Unfiltered

VP of Data Science + Research, Bob Rudis, creatively gives his thoughts, hot-takes, and whatever else he feels like.

‍

Featured

Join GreyNoise VP of Data Science Bob Rudis and Head of Content Noah Stone on Sept. 9th at 12 PM ET as they break down key insights from our latest report, Early Warning Signals: When Attacker Activity Precedes New Vulnerabilities.

You’ll learn:

• How real-world attacker behavior may reveal early warning signs of soon-to-be disclosed vulnerabilities. 
• How to use GreyNoise telemetry to identify spikes and take preemptive action before new CVEs are known. 
• What security leaders and practitioners can do during the “six-week critical window” to reduce risk. 

   Register Today >>

‍

Product Announcements

Are you interested in time travel through network packets?

We’re looking for Active Development Partners who would like to engage in security research by applying Suricata Rules and network packet queries to the GreyNoise historical dataset. If you're interested, please email product@greynoise.io.

‍

Where to find us

• Attacker Activity May Reveal What’s Coming Next — Are You Watching Closely? (Virtual | Sept 9) New GreyNoise research reveals attackers often exploit edge tech before CVEs are disclosed—join Bob + Noah to learn how to spot early warning signals, act during the six-week critical window, and get ahead of the next vulnerability. Register Today >>
• GreyNoise UK Threat Briefing (in-Person \ Sept 11) If you're attending DSEI, join us at the Crowne Plaza London Docklands (16:30-18:30) for threat intelligence insights, networking, swag, and CPE credits!
  Register Today >> 
• GreyNoise University LIVE (Virtual | Sept 18) GreyNoise 101, now known as GreyNoise University LIVE is BACK! We are stoked to bring back this once-a-month webinar.  Learn More >>‍
• CriblCon (In-Person | Oct 13-15) If you're gonna be at CriblCon at the National Harbor, make sure to check out our booth! Learn More >>

‍

Fresh Content

• Blog: Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge‍
• Blog: A Coordinated Brute Force Campaign Targets Fortinet SSL VPN ‍
• Blog: GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities
• White Paper: Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities

Recent Tags and Vulnerabilities

GreyNoise Labs released 73 tags during the month of August:

• ADB Epicentro Authorization Bypass CVE-2018-13109 Attempt
• Adobe Experience Manager Misconfiguration CVE-2025-54253 RCE Attempt
• Adobe Experience Manager Unsafe Deserialization CVE-2025-49533 RCE Attempt
• Adobe Experience Manager XXE CVE-2025-54254 LFI Attempt
• Alleged CasaOS Information Disclosure Attempt
• Apache Arrow Enumeration Attempt
• ASUS Router HTTP Bruteforce Attempt
• ASUS Router HTTP Login Attempt
• BlueImp jQuery-File-Upload Arbitrary File Upload Check
• Centos Control Web Panel ChangePerm Command Injection CVE-2025-48703 Attempt
• CHCNAV P5E GNSS API Credential Disclosure CVE-2022-30622 Attempt
• Cisco ISE Command Injection (and Container Escape) CVE-2025-20337 Attempt
• Citrix ADC Gateway Login Panel Crawler
• Commvault CVE-2025-57788 Authentication Bypass Attempt
• Coremail Version Check
• CrushFTP AS2 Validation Bypass CVE-2025-54309 Attempt
• Dahua Bitmap File Upload RCE Attempt
• Dahua Buffer Overflow CVE-2025-31700 RCE Attempt
• Dahua Buffer Overflow CVE-2025-31701 RCE Attempt
• Eclipse Jetty Path Traversal CVE-2021-28169 Attempt
• ECShop 2.x / 3.x SQL Injection Attempt
• Fortinet FortiSIEM OS Command Injection CVE-2025-25256 RCE Attempt
• Generic /proc Enumeration Attempt
• H.264 IP Camera Setup Scanner
• Hikvision iSecure Center Arbitrary File Upload Exploit Attempt
• HJTcloud LFI Attempt
• Huayu Reporter Command Injection RCE Attempt
• ICTBroadcast Session Cookie Injection CVE-2025-2611 RCE Attempt
• Ivanti Connect Secure Bruteforce Attempt
• Ivanti Connect Secure Login Attempt
• Jenkins Git-Parameter Plugin Build Param Injection CVE-2025-53652 Attempt
• Landray OA replaceExtend RCE Attempt
• Letta Remote Code Execution CVE-2025-51482 RCE Attempt
• Linear eMerge E3-Series File Inclusion CVE-2019-7254 LFI Attempt
• Lissy93 web-check CVE-2025-32778 RCE Attempt
• Litepubl CMS Remote Code Execution CVE-2025-29661 RCE Attempt
• Logsign Remote Command Injection Attempt
• MapSVG WordPress Plugin SQL Injection CVE-2022-0592 SQLi Attempt
• Masa CMS CVE-2024-32640 RCE Attempt
• Microsoft Index Server CVE-2001-0500 RCE Check
• Microsoft Sharepoint ToolShell Auth Bypass Deserialization RCE CVE-2025-49704 Attempt
• Microsoft Windows SMB Privilege Escalation CVE-2025-33073 Attempt
• Microstrategy Web login.asp Cross Site Scripting Check
• Navidrome Authentication Bypass CVE-2025-27112 Attempt
• NetScaler ADC Heap Overflow CVE-2025-7776 RCE Attempt
• Opsview Monitor Directory Traversal CVE-2016-10367 LFI Attempt
• Photo Gallery by 10Web SQL Injection CVE-2022-0169 SQLi Attempt‍
• Pie Register Plugin Cross-Site Scripting CVE-2015-7377 XSS Check
• ‍Portainer Crawler‍
• Robomongo Crawler‍
• Sante PACS Server Unauthenticated Path Traversal CVE-2025-2264 Attempt‍
• SAP Internet Graphics Server XXE CVE-2018-2393 DoS Attempt‍
• Sawtooth Software Lighthouse Studio Survey CGI Perl Injection RCE CVE-2025-34300 Attempt‍
• Secure Copy Content Protection SQL Injection CVE-2021-24931 SQLi Attempt‍
• sitemap.xml Crawler‍
• SmartDataSoft SmartBlog SQL Injection CVE-2021-37538 SQLi Attempt‍
• SonicWall SonicOS API Scanner‍
• SPDY ALPN Negotiation Attempt‍
• Spring Data REST JSON Deserialization CVE-2017-8046 RCE Attempt‍
• Tenda AC1200 CVE-2024-46450 Auth Bypass Attempt‍
• TITool PrintMonitor SQL Injection CVE-2018-7282 SQLi Attempt‍
• Tongda OA action_upload Arbitrary File Upload Attempt‍
• Vitogate 300 Command Injection CVE-2023-45852 RCE Attempt‍
• WarHawk Backdoor C2 Beakon‍
• WordPress Bruteforce Attempt‍
• WordPress Configuration setup-config.php Disclosure Attempt‍
• WordPress Download Manager Arbitrary Shortcode Execution CVE-2024-11740 RCE Attempt‍
• WordPress Login Attempt‍
• WordPress xmlrpc.php listMethods Scanner‍
• Xerox FreeFlow Core CVE-2025-8356 Directory Traversal Attempt‍
• XWiki LiveData REST SQL Injection CVE-2025-32429 Attempt‍
• Zhiyue Human Management System SQL Injection Attempt‍
• Zoho ManageEngine OpManager API Key Disclosure CVE-2020-11946 Attempt

‍

Community

• Request a New GreyNoise Tag - We've just published a new page to allow our amazing community to submit tag requests to the GreyNoise team. 
• ‍Try our Free Account - Quickly identify noisy scanners and trending attacks with our free plan.
• ‍Join our Community Slack and Discord- We share intel, give real time updates, and the occasional Dad joke. 

‍

Meme of the Month

*Have a joke you want included in the next NoiseLetter? Submit Your Joke >>

Life @ GreyNoise

Not subscribed to our NoiseLetter? Subscribe here.