NoiseLetter March 2026

Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.

And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.

Thanks, as always, for being part of the GreyNoise community.

Featured

About this new report

Every enterprise firewall processes traffic from residential IP space. Traditional reputation feeds fail to flag IPs that rotate before they can be cataloged.  Unfortunately, attackers know this too. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from home internet connections — and 78% vanish before any reputation system can flag them.

This report quantifies the residential proxy threat at internet scale and identifies what defenders can do about it. Download Today >>

‍

Where to find us

• ‍CrowdStrike CrowdTour Stockholm (In-Person | April 15) We’re thrilled to be traveling the globe for the 2026 CrowdTours. If you are attending or local to Stockholm let's connect. Learn More >>‍
• CyberUK (In-Person | April 21-23) GreyNoise is proud to be a sponsor and speaker at this years CyberUK conference. See all the ways to engage with us.  Learn More >>‍
• CrowdStrike CrowdTour Atlanta (In-Person | April 15) We’re thrilled to be traveling the globe for the 2026 CrowdTours. If you are attending or local to Atlanta let's connect. Learn More >>‍
• ‍GreyNoise University LIVE (Virtual | April 30) GreyNoise 101, now known as GreyNoise University LIVE is BACK! We are stoked to bring back this once-a-month webinar.  Learn More >>‍
• H-ISAC Spring Americas Summit (In-Person| May 4-8) GreyNoise will be sponsoring this years H-ISAC Spring Americas Summit. If you are planning to attend, come by our booth or connect with us to schedule a meeting. Learn More >>

‍

Fresh Content

• ‍Blog: Ghost Fleet - Half of All New Scanning IPs Last Week Geolocated to Hong Kong‍
• ‍Webinar: State of the Edge - Where Edge Targeting Concentrated and Where Defenses Have Measurable Gaps
• ‍Blog: New GreyNoise Integrations Enhance Detection and Response Capabilities in Google SecOps
• ‍Blog: GreyNoise Intelligence Is Available Across the CrowdStrike Falcon Platform‍
• Article: Dark Reading - Are we training AI too late? 
• Press Release: New Report from GreyNoise Intelligence Points to a Significant Number of Compromised Residential IP Addresses‍
• ‍At the Edge Clear: This is a preview of GreyNoise’s weekly At the Edge intelligence brief that we provide our customers, featuring select insights distilled from internet activity observed across the GreyNoise Global Observation Grid.  View our latest report >> 

‍

Recent Tags and Vulnerabilities

GreyNoise Labs released 166 tags during the month of March:

• Elasticsearch Sandbox Bypass CVE-2015-1427 RCE Check
• Citrix SD-WAN Directory Traversal CVE-2019-12990 LFI Attempt
• Citrix SD-WAN Improper Input Validation CVE-2019-12987 Attempt
• Aquatronica Controller System Unauthenticated Access CVE-2025-25037 Attempt
• Artica Pandora FMS Local File Inclusion CVE-2018-11222 LFI Attempt
• Alibaba Cloud Proxy Metadata Service Exposure Attempt
• Pandora FMS Events Remote Command Execution CVE-2020-13851 RCE Attempt
• Pandora FMS Information Disclosure CVE-2020-8497 Attempt
• Juniper Junos OS Evolved Permission Assignment Flaw CVE-2026-21902 RCE Attempt
• Seeyon OA A6 Config .jsp Sensitive Information Disclosure Attempt
• Vite File Access Bypass CVE-2025-46565 Attempt
• DataEase JWT Forgery CVE-2025-49001 Attempt
• Apache Kafka Client Arbitrary File Read CVE-2025-27817 SSRF Attempt
• Apache Struts Missing XML Validation CVE-2025-68493 Attempt
• Dedecms Dedecms Flink .php RCE Attempt
• GeoServer XML External Entity Injection CVE-2025-30220 XXE Attempt
• Cisco Secure Firewall Management Center Command Injection CVE-2025-20265 RCE Attempt
• Zhiyuan OA Arbitrary File Upload CVE-2025-34040 RCE Attempt
• DataEase Patch Bypass CVE-2025-49002 Attempt
• LaRecipe Server-Side Template Injection CVE-2025-53833 RCE Attempt
• SNMPv2c sysDescr OID Enumeration Scanner
• System V Login Buffer Overflow CVE-2001-0797 RCE Attempt
• Solarwinds Dameware Mini Remote Client Smart Card Authentication Bypass CVE-2019-3980 RCE Attempt
• SNMPv2 Public Community String Scanner
• Windows 95/98 NetBIOS Null Source Name CVE-2000-0347 DoS Attempt
• Windows TCP/IP Stack ICMPv6 Handling CVE-2020-16898 RCE Attempt
• Trend Micro Apex One Arbitrary File Write CVE-2020-8599 Attempt
• Microsoft Netlogon Privilege Escalation CVE-2020-1472 Attempt
• Microsoft Windows RPC Buffer Overflow CVE-2003-0352 RCE Attempt
• Microsoft SharePoint Application Package Validation CVE-2020-0932 RCE Attempt
• Microsoft Windows Secondary Logon Privilege Escalation CVE-2016-0135 Attempt
• Microsoft SharePoint Server Cross-Site Scripting CVE-2019-1262 XSS Check
• Microsoft Windows SMB Pathname Overflow CVE-2010-0020 RCE Attempt
• Adobe ColdFusion Untrusted Deserialization CVE-2017-11284 RCE Attempt
• Veritas NetBackup Unauthenticated File Copy CVE-2017-8857 RCE Attempt
• Modicon PLC Unverified Password Change CVE-2018-7811 Attempt
• WP Symposium Unrestricted File Upload CVE-2014-10021 RCE Attempt
• NETGEAR WNR2000 Buffer Overflow CVE-2017-6862 RCE Attempt
• OpenSSL X.509 Name Constraint Buffer Overflow CVE-2022-3602 RCE Attempt
• HPE Intelligent Management Center Unsafe Deserialization CVE-2017-8966 RCE Attempt
• Fortinet FortiOS Improper Authorization CVE-2018-13382 Attempt
• Oracle Application Testing Suite Directory Traversal CVE-2016-0487 Attempt
• GE Digital Energy MDS PulseNET Hardcoded Credentials CVE-2015-6456 RCE Attempt
• ZeroMQ Libzmq Buffer Overflow CVE-2019-13132 RCE Attempt
• HP ProCurve Manager Arbitrary File Upload CVE-2013-4812 RCE Attempt
• Spring Data Commons Property Binder CVE-2018-1273 RCE Attempt
• IBM DB2 Heap Buffer Overflow CVE-2010-0462 RCE Attempt
• AntSword Backdoor Antproxy .php RCE Attempt
• Proxmox Logo Icon Scanner
• Portainer Scanner
• SonicWall ExtraWeb Favicon Scanner
• SonicWall Chrome Extension Scanner
• Zyxel ZTP Scanner
• Synology DSM Scanner
• TR-064 Device Description Scanner
• 123solar Cross Site Scripting CVE-2024-9007 XSS Check
• ScienceLogic EM7 Scanner
• Cisco Secure Firewall Management Center Insecure Deserialization CVE-2026-20131 RCE Attempt
• LiquidFiles User Enumeration CVE-2025-56132 Attempt
• WhatsUp Gold SQL Injection CVE-2024-6671 SQLi Attempt
• Bootstrap Multiselect Reflective XSS CVE-2025-47204 XSS Check
• Cleo LexiCom Scanner
• Citrix ADC / NetScaler Scanner
• FUXA Authorization Bypass CVE-2026-25939 Attempt
• RosarioSIS SQL Injection CVE-2021-44427 SQLi Attempt
• Sangfor Operation and Maintenance Management System Unrestricted File Upload CVE-2025-15503 RCE Attempt
• Hirsch Enterphone MESH Default Credentials CVE-2025-26793 Attempt
• GoAnywhere MFT License Servlet Deserialization CVE-2025-10035 RCE Attempt
• Juniper Junos OS Missing Authentication CVE-2023-36846 Attempt
• Adobe ColdFusion Improper Access Control CVE-2023-26360 RCE Attempt
• D-Link NAS Command Injection CVE-2024-3273 RCE Attempt
• Cisco Catalyst SD-WAN Manager File System Access Control CVE-2026-20133 Attempt
• Cisco IOS XE Web UI Privilege Escalation CVE-2019-12650 RCE Attempt
• vCenter Server Arbitrary File Upload CVE-2021-22005 RCE Attempt
• GL.iNet NGINX Authentication Bypass CVE-2023-50919 Attempt
• LightLLM Unsafe Deserialization CVE-2026-26220 RCE Attempt
• Telerik Report Server Authentication Bypass CVE-2024-4358 Attempt
• Cisco Secure Firewall Management Center Authentication Bypass CVE-2026-20079 RCE Attempt
• MajorDoMo OS Command Injection CVE-2026-27175 RCE Attempt
• Metabase Remote Command Execution CVE-2023-38646 RCE Attempt
• WAVLINK Router OS Command Injection CVE-2022-2486 RCE Attempt
• Cisco ASA FTD Authentication Bypass CVE-2025-20362 Attempt
• NetScaler ADC Information Disclosure CVE-2023-4966 Attempt
• NetScaler ADC Out-Of-Bounds Read CVE-2023-6549 DoS Attempt
• Apache HTTP Server Path Traversal CVE-2021-41773 RCE Attempt
• Apache APISIX IP Restriction Bypass CVE-2022-24112 RCE Attempt
• Appsmith Access Control Bypass CVE-2024-55963 DoS Attempt
• Netmake ScriptCase SSH Shell Injection CVE-2025-47228 RCE Attempt
• ASUS RT-AX55 Command Injection CVE-2023-41345 RCE Attempt
• Fortinet OS Command Injection CVE-2023-34992 RCE Attempt
• SmarterMail ConnectToHub API CVE-2026-24423 RCE Attempt
• GL.iNet Router Shell Injection CVE-2023-50445 RCE Attempt
• GoAnywhere MFT Pre-Auth Command Injection CVE-2023-0669 RCE Attempt
• D-Link DIR816L Getcfg .php Access CVE-2022-28956 Attempt
• Ivanti Endpoint Manager Mobile API Remote Code Execution CVE-2025-4428 RCE Attempt
• Ivanti Endpoint Manager Mobile API Authentication Bypass CVE-2025-4427 Attempt
• Huijietong Cloud Video Platform Path Traversal CVE-2024-13991 LFI Attempt
• Ivanti Endpoint Manager Mobile Code Injection CVE-2026-1281 RCE Attempt
• Samsung MagicINFO Path Traversal CVE-2024-7399 RCE Attempt
• WPAMS Unrestricted File Upload CVE-2025-39401 RCE Attempt
• Nginx UI Unauthenticated Backup Disclosure CVE-2026-27944 Attempt
• SolarView Compact Insecure Permissions CVE-2023-29919 Attempt
• SolarWinds Web Help Desk Scanner
• Cisco Catalyst SD-WAN Manager Credential Exposure CVE-2026-20128 Attempt
• Vercel Nextjs React-Server-Component RCE Attempt
• Cisco Secure Firewall Management Center Unsafe Deserialization CVE-2026-20131 RCE Attempt
• Cisco UCS Director Authentication Bypass CVE-2019-1938 Attempt
• VMware Workspace ONE UEM SSRF CVE-2021-22054 Check
• F5 BIG-IP Management Interface Version Enumeration Attempt
• D-Link DIR-859 UPnP Command Injection CVE-2019-17621 RCE Attempt
• GruppoSCAI RealGimm Reflected XSS CVE-2023-41642 XSS Check
• Saisies Plugin Remote Code Execution CVE-2025-71243 RCE Attempt
• TVT DVR OS Command Injection CVE-2025-34036 RCE Attempt
• FUXA Authentication Bypass CVE-2025-69985 RCE Attempt
• SysAid XML External Entity CVE-2025-2776 Attempt
• F5 BIG-IP Management Interface Version Enumeration Check
• TerraMaster NAS Credential Disclosure CVE-2022-24990 Attempt
• n8n Brute Force Attempt
• Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite CVE-2026-20122 Attempt
• SysAid XML External Entity CVE-2025-2775 Attempt
• SysAid XML External Entity CVE-2025-2777 Attempt
• Energizer DUO USB Charger Backdoor CVE-2010-0103 RCE Attempt
• Unraid Remote Code Execution CVE-2020-5847 RCE Attempt
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 Attempt
• Microsoft .NET Framework XML Input Validation CVE-2020-1147 RCE Attempt
• Apache Log4j2 JNDI Injection CVE-2021-44228 RCE Check
• Unraid Authentication Bypass CVE-2020-5849 Attempt
• mySCADA myPRO Directory Listing Exposure CVE-2021-27505 Check
• Apache Camel Header Injection CVE-2025-29891 Attempt
• BeyondTrust Remote Support Pre-Auth Remote Code Execution CVE-2026-1731 RCE Attempt
• Asus Asuswrt Admin Session Hijack CVE-2017-15653 Check
• Windows Remote Desktop Licensing Service Remote Code Execution CVE-2024-38077 RCE Attempt
• Craft Remote Code Execution CVE-2025-32432 RCE Attempt
• N-central XML External Entities Injection CVE-2025-11700 Attempt
• OctoberCMS Password Reset Bypass CVE-2021-32648 Attempt
• Fortinet FortiOS Out-Of-Bounds Write CVE-2024-21762 RCE Check
• FortiOS Authentication Bypass CVE-2024-55591 Attempt
• n8n Login Attempt
• GeoServer CQL Injection CVE-2023-25157 Attempt
• Yeti Platform SSTI CVE-2024-46507 Exploit Attempt
• PaperCut NG Path Traversal CVE-2023-39143 RCE Attempt
• Ivanti Connect Secure Stack Buffer Overflow CVE-2025-0282 RCE Check
• Ibwebadmin Execute Command Exploit Attempt
• Ibwebadmin Admin Panel Scanner
• SiYuan Search API CVE-2026-32767 SQL Injection Exploit Attempt
• Wing FTP Server Path Disclosure CVE-2025-47813 Attempt
• NasaTheme Flozen Unrestricted File Upload CVE-2025-49071 RCE Attempt
• NasaTheme Flozen Unrestricted File Upload CVE-2025-49071 Version Check
• Budibase Authentication Bypass CVE-2026-31816 Attempt
• BCM FootPrints Deserialize to Arbitrary File Write CVE-2025-71260 Attempt
• BCM FootPrints /import/searchWeb Blind SSRF CVE-2025-71258 Attempt
• BMC FootPrints Authentication Bypass CVE-2025-71257 Attempt
• BCM FootPrints externalfeed/RSS Blind SSRF CVE-2025-71259 Attempt
• Kan SSRF CVE-2026-32255 Attempt
• KiviCare Authentication Bypass CVE-2026-2991 Attempt
• WWBN AVideo Unauthenticated Installation CVE-2026-33038 Attempt
• Karel IP1211 IP Phone Path Traversal CVE-2025-34023 LFI Attempt
• Linksys Router OS Command Injection CVE-2025-34037 RCE Attempt
• Mailpit SSRF CVE-2026-21859 Attempt
• MCPJam Inspector Remote Code Execution CVE-2026-23744 RCE Attempt
• TVT DVR Information Disclosure CVE-2024-7339 Attempt
• Apache Continuum Command Injection CVE-2016-15057 RCE Attempt
• Moodle Jmol Plugin Path Traversal CVE-2025-34031 LFI Attempt
• Beward N100 IP Camera Command Injection CVE-2025-34042 RCE Attempt
• Ivanti Endpoint Manager Authentication Bypass CVE-2026-1603 Attempt
• GNU Inetutils Telnetd Out-Of-Bounds Write CVE-2026-32746 Attempt

‍

Community

• GreyNoise Block is available now with a free trial for 14 days. Test it out to build, manage, and deploy GreyNoise blocklists.‍
• ‍Try our Free Account - Quickly identify noisy scanners and trending attacks with our free plan. ‍
• Request a New GreyNoise Tag - Check out our page where our amazing community can submit tag requests to the GreyNoise team. 
• ‍Join our Community Slack + Discord- We share intel, give real time updates, and the occasional Dad joke. 

‍

Meme of the Month

‍

Not subscribed to our NoiseLetter? Subscribe here.

‍