NoiseLetter December 2025

Happy New Year! After a refreshing holiday break, we’re back at it (and some of us even remember how to do our jobs). 2025 was big for GreyNoise: faster actor clustering and enrichment, the release of GreyNoise Block, broader sensor coverage, and research on all the latest vulns. Here’s what went down in December + what to look out for this month.

Bob Unfiltered

VP of Data Science + Research, Bob Rudis, creatively gives his thoughts, hot-takes, and whatever else he feels like.

‍

Featured

CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: Update

The React2Shell campaign remains highly active, with 8.1M+ attack sessions observed since disclosure and daily activity steady at 300K–400K. GreyNoise now tracks 8,163 source IPs across 1,071 ASNs in 101 countries, with cloud providers, especially AWS, dominating exploitation traffic. Ongoing attacker iteration is evident in 70K+ unique payloads and hundreds of distinct JA4H/JA4T fingerprints. Given the scale and diversity of infrastructure, static IP blocklists are insufficient; defenders should rely on GreyNoise Block and continuously updated threat intelligence, and treat this as an ongoing, active campaign.

‍Learn More >>

‍

Product Announcements

Are you interested in time travel through network packets?

We’re looking for Active Development Partners who would like to engage in security research by applying Suricata Rules and network packet queries to the GreyNoise historical dataset. If you're interested, please email product@greynoise.io.

‍

Where to find us

• Tradecraft Tuesday (Virtual | Jan 13) Join Huntress analysts Anna, Craig, and Michael, along with GreyNoise's Bob Rudis, for an in-depth look at React2Shell. Learn More >>
• RunZero Hour (Virtual | Jan 21) Catch our very own Brianna Cluck on this month's episode of RunZero Hour. Learn More >>‍
• SANS CTI Summit (In-Person | Jan 26 - 27) We are proud to be back sponsoring this year's SANS CTI Summit in Arlington, VA. Stop by the booth for a demo, great swag and a friendly chat. Learn More >>
• ‍GreyNoise University LIVE (Virtual | Jan 29) GreyNoise 101, now known as GreyNoise University LIVE is BACK! We are stoked to bring back this once-a-month webinar.  Learn More >>

‍

Fresh Content

• StormWatch: React2Shell: Welcome to the Scanner Thunderdome
• Blog: Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
• Blog: There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks
• Blog: CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
• Blog: A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect
• NPR Interview: Holiday cyber scams are getting more inventive

‍

Recent Tags and Vulnerabilities

GreyNoise Labs released 88 tags during the month of December:

• .md Crawler
• Aajoda Testimonials WordPress Plugin Stored XSS CVE-2023-2178 Attempt
• AI Engine Plugin Sensitive Information Exposure CVE-2025-11749 Attempt
• AI Engine Plugin Sensitive Information Exposure CVE-2025-11749 Check
• Artica Proxy Unsafe Deserialization CVE-2024-2053 RCE Attempt
• Astro Header Injection CVE-2025-64525 SSRF Attempt
• Bitrix Site Manager Vote Module Arbitrary Code Execution CVE-2022-27228 RCE Attempt
• CMS Tree Page View Reflected XSS CVE-2023-30868 Check
• Complete Online Job Search System SQL Injection CVE-2022-32015 SQLi Attempt
• Core Design Scriptegrator Directory Traversal CVE-2010-0759 LFI Attempt
• Crypto Plugin Authentication Bypass CVE-2024-9989 Attempt
• Custom 404 Pro WordPress Reflected Cross-Site Scripting CVE-2023-2023 XSS Check
• D-Link Go-RT-AC750 Buffer Overflow CVE-2022-37055 RCE Attempt
• Dokan Pro SQL Injection CVE-2024-3922 SQLi Attempt
• Eleanor CMS Open Redirect CVE-2014-9180 Check
• Essential Real Estate Plugin Parameter Handling CVE-2022-3933 XSS Check
• Fanvil X210 Buffer Overflow CVE-2025-64053 RCE Attempt
• Fortinet FortiOS SAML Authentication Bypass CVE-2025-59718 Attempt
• Free Booking Plugin Arbitrary File Upload CVE-2022-1952 RCE Attempt
• FreePBX Endpoint Manager Arbitrary File Upload CVE-2025-61678 RCE Attempt
• FreePBX Endpoint Manager Authentication Bypass CVE-2025-66039 Attempt
• FreePBX Endpoint Manager Command Injection CVE-2025-64328 RCE Attempt
• FreePBX Endpoint Manager SQL Injection CVE-2025-61675 SQLi Attempt
• GeoServer XXE CVE-2025-58360 Attempt
• GiveWP Reflected Cross-Site Scripting CVE-2024-11921 XSS Check
• Gnuboard5 Open Redirect CVE-2024-37656 Check
• Grafana Path Traversal XSS CVE-2025-4123 XSS Check
• HexStrike AI MCP Command Injection CVE-2025-35028 RCE Attempt
• HPE OneView Remote Code Execution CVE-2025-37164 RCE Attempt
• Indexisto Plugin Reflected XSS CVE-2016-1000138 XSS Check
• InstaWP Connect Arbitrary File Upload CVE-2024-2667 RCE Attempt
• Intel AMT Privilege Escalation CVE-2017-5689 Attempt
• Intel AMT Scan Attempt
• Intelbras WiFiber 120AC Command Injection CVE-2022-40005 RCE Attempt
• King Addons for Elementor Privilege Escalation CVE-2025-8489 Attempt
• Landing Page Builder Reflected XSS CVE-2021-25067 XSS Check
• Leantime SQL Injection CVE-2023-45826 SQLi Attempt
• Loginizer Plugin SQL Injection CVE-2020-27615 SQLi Check
• Mingsoft MCMS Cross Site Scripting CVE-2023-3990 XSS Check
• Monsta FTP Arbitrary File Upload CVE-2025-34299 RCE Attempt
• mTheme-Unus Theme Directory Traversal CVE-2015-9406 LFI Attempt
• MyCryptoCheckout Reflected Cross-Site Scripting CVE-2023-1546 XSS Check
• Nagios Log Server API Key Disclosure CVE-2025-44823 Check
• Nagios Log Server Privilege Escalation CVE-2025-44824 Check
• NETGEAR Router Authentication Bypass CVE-2020-27866 Attempt
• Openfire SSRF CVE-2019-18394 Attempt
• OpenPLC ScadaBR Arbitrary File Upload CVE-2021-26828 RCE Attempt
• OpenPLC ScadaBR Bruteforce Attempt
• OpenPLC ScadaBR Login Attempt
• Personal Weather Station Dashboard Directory Traversal CVE-2025-47423 LFI Attempt
• PHPSHE SQL Injection CVE-2019-9762 SQLi Attempt
• Pichome Path Traversal CVE-2025-1743 LFI Attempt
• Pondol Formmail Plugin Reflected XSS CVE-2016-1000146 XSS Check
• Prestashop Possearchproducts SQL Injection CVE-2023-30192 SQLi Attempt
• rConfig Reflected XSS CVE-2020-12259 XSS Check
• React Server Components Unsafe Deserialization CVE-2025-55182 RCE Attempt
• Relevanssi WordPress Plugin SQL Injection CVE-2025-4396 SQLi Attempt
• Repetier Server Directory Traversal CVE-2023-31059 Attempt
• Request-Baskets SSRF CVE-2023-27163 Attempt
• Root Evidence
• Shield Security WordPress Reflected Cross-Site Scripting CVE-2024-7313 XSS Check
• SibSoft Xfilesharing Arbitrary File Upload CVE-2019-18952 RCE Attempt
• Sierra Wireless AirLink ES450 Upload Handling CVE-2018-4063 RCE Attempt
• Sitecore CMS XMLControl Parameter Injection CVE-2014-100004 XSS Check
• Sitemap by click5 WordPress Plugin REST API Access Control Bypass CVE-2022-0952 Attempt
• Store Locator WordPress Plugin Reflected XSS CVE-2023-4151 XSS Check
• Telerik UI for AJAX Unsafe Reflection CVE-2025-3600 DoS Attempt
• Themewinter Eventin Path Traversal CVE-2025-47445 LFI Attempt
• Title Experiments Free WordPress Plugin SQL Injection CVE-2022-0784 SQLi Attempt
• TOTOLINK A860R Command Injection CVE-2022-40475 RCE Attempt
• TOTOLINK X5000R (AX1800 Router) Authentication Bypass CVE-2025-13184 Attempt
• Trilium Reflected Cross-Site Scripting CVE-2022-2290 XSS Check
• TwitterServer Histogram Endpoint CVE-2020-35774 XSS Check
• Twonky Server Access Control Bypass CVE-2025-13315 Attempt
• Twonky Version Check Attempt
• User Profile Picture REST API Information Disclosure CVE-2021-24170 Attempt
• ViteJS Plugin RS Unsafe Dynamic Import CVE-2025-67489 RCE Attempt
• W3 Total Cache Reflected XSS CVE-2021-24436 XSS Check
• Wavlink WN579X3 Ping Test Injection CVE-2023-3380 RCE Attempt
• Webmin HTML Injection CVE-2022-36446 XSS Check
• Western Digital My Cloud Authentication Bypass CVE-2018-17153 Attempt
• WordPress Custom Search Plugin Multiple XSS CVE-2017-18494 XSS Check
• WP Meta SEO Unauthorized Ajax Actions CVE-2023-0876 Attempt
• WP Pro Real Estate 7 Reflected Cross-Site Scripting CVE-2021-24387 XSS Check
• WP Statistics SQL Injection CVE-2022-0651 SQLi Attempt
• WP Statistics SQL Injection CVE-2022-25149 SQLi Attempt
• WP Visitor Statistics RefUrl SQL Injection CVE-2021-24750 SQLi Attempt
• ZoneMinder Boolean-Based SQL Injection CVE-2024-51482 SQLi Attempt

‍

Community

• GreyNoise Block is available now with a free trial for 14 days. Test it out to build, manage, and deploy GreyNoise blocklists.‍
• ‍Try our Free Account - Quickly identify noisy scanners and trending attacks with our free plan. ‍
• Request a New GreyNoise Tag - Check out our page where our amazing community can submit tag requests to the GreyNoise team. 
• ‍Join our Community Slack and Discord- We share intel, give real time updates, and the occasional Dad joke. 

Meme of the Month

*Have a joke you want included in the next NoiseLetter? Submit Your Joke >>

‍

Life @ GreyNoise

Not subscribed to our NoiseLetter? Subscribe here.