NoiseLetter May 2025

This month was wild, our sensors picked up major threats, including a stealthy backdoor campaign targeting ASUS routers and a coordinated scan blitz hitting 75 exposure points in a single day. While part of the GreyNoise Labs team gathered offsite, the rest stayed locked in to catch it all. Get the full breakdown in this month’s NoiseLetter.

‍

Bob Unfiltered

VP of Data Science + Research, Bob Rudis, creatively gives his thoughts, hot-takes, and whatever else he feels like.

‍

Featured

‍

‍

Join GreyNoise Founder & Chief Architect Andrew Morris and VP of Data Science Bob Rudis on June 3rd as they unpack critical findings from our 2025 report, A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security.

>> Register Today! 

‍

‍

‍

GreyNoise uncovers a stealthy backdoor campaign affecting thousands of ASUS routers. Attackers gained persistent access — surviving reboots and firmware updates — by abusing legitimate configuration features.First observed March 18, 2025.

>>Read the Full Analysis 

‍

‍

Product Announcements

‍

New Experiment:  WatchGOG!
‍
‍A peek behind the curtain at more detailed statistics from the Global Observation Grid.
>> Check it out

‍

‍

‍

‍‍JA4 now available for Threat Hunt customers
‍
‍JA4 has been a top request from our community as it helps correlate scanning and exploitation activity across IPs with similar TLS behavior.  We're pleased to add it to our Threat Hunt data module.

‍

‍

SSO for Enterprise Customers
‍
‍We've added the ability to support multiple SSO providers for customers interested in stronger authentication for their GreyNoise accounts. If you would like to set up SSO for your account please reach out to your Customer Success Manager for assistance.

‍

Make our product team the happiest team in the world by sharing your honest feedback! 

• We're excited to announce our new gift card campaign on Gartner Peer Insights! Share your honest review of GreyNoise and receive a $25 gift card.
• Or go big and grab a $50 VISA gift card by sharing your thoughts on G2!‍
• BUT WAIT — there’s a slight catch...! To score the goods, your review needs to be posted + approved, and they can be kinda particular, so be sure to check out this quick doc with tips to make sure your work gets posted.Thanks for helping us spread the word and showing us love, we seriously appreciate you.

‍

Where to find us

• ‍GreyNoise University LIVE (Virtual | May 29, TODAY!) GreyNoise 101, now known as GreyNoise Univeristy LIVE is BACK! We are stoked to bring back this once-a-month webinar.  
• Resurgent Vulnerabilities Webinar (Webinar | June 3) Join GreyNoise Founder & Chief Architect Andrew Morris and VP of Data Science Bob Rudis as they break down key insights from our latest 2025 report, A Blindspot in Cyber Defense: How Resurgent Vulnerabilities Jeopardize Organizational Security. 
  

‍

Fresh Content

• Webcast: Storm⚡️Watch | Latest Episode
• Blog: GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
• Blog: Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
• Blog: Ivanti EPMM Zero-Days: Reconnaissance to Exploitation
• Blog: Verizon DBIR 2025: Edge KEVs Are Increasingly Left Unpatched — and More Often Exploited in Breaches

‍

Recent Tags and Vulnerabilities

GreyNoise Labs released 34 tags during the month of April:

• Asus RT-AX86U CVE-2020-36109 Buffer Overflow Attempt
• Auerswald COMfortel 2.8G CVE-2021-40856 Authentication Bypass Attempt
• BentoML Unsafe Deserialization CVE-2025-32375 Attempt
• Casbin Casdoor Authorization Bypass for creating an admin account CVE-2025-4210 Attempt
• CIRCONTROL CirCarLife devstat.html CVE-2018-16670 Status Disclosure Attempt
• Cisco Linksys WVC54GCA adm/file.cgi next_file CVE-2009-1558 Arbitrary File Read Attempt
• D-Link D-View 8 Static JWT Token To Authentication Bypass CVE-2023-5074 Attempt
• DICOM Scanner
• DrayTek Vigor /cgi-bin/wlogin.cgi CVE-2022-32548 Buffer Overflow Attempt
• FoxCMS Case Display Page Command Injection CVE-2025-29306 Attempt
• Generic ${IFS} Use in RCE Attempt
• Generic PHPInfo Access Attempt
• GeoVision CVE-2024-11120 RCE Attempt
• GeoVision ntpdate.sh Command Injection CVE-2024-6047 Attempt
• Hikvision Integraded Security Management Platform licenseExpire RCE Attempt
• Ivanti EPMM CVE-2025-4428 RCE Attempt
• Jenkins Gitlab Hook Plugin 1.4.2 build_now CVE-2020-2096 RXSS Check
• JNews WordPress 8.0.6 CVE-2021-24342 jnews_build_mega_category XSS Check
• Multilaser Router Access Control Bypass CVE-2023-38944 Attempt
• Patreon WordPress plugin 1.7.0 CVE-2021-24227 patron_only_image Local File Disclosure Vulnerability Attempt
• PbootCMS Tag Injection CVE-2024-12789 RCE Attempt
• Samsung MagicINFO CVE-2024-7399 Path Traversal Attempt
• Samsung Wlan AP (WEA453e) Default Credentials Login Attempt
• SonicWall SMA100 Arbitrary File Leak CVE-2024-38475 Attempt
• SysAid On-Prem checkin CVE-2025-2775 XXE Check
• SysAid On-Prem javaLocation CVE-2025-2778 RCE Attempt
• SysAid On-Prem lshw CVE-2025-2777 XXE Check
• SysAid On-Prem serverurl CVE-2025-2776 XXE Check
• SysAid On-Premises Authenticated javaLocation RCE CVE-2024-36394 Attempt
• TianQing Terminal Security Management System SQLi Attempt
• TianQing Terminal Security Management System SQLi Check
• Veeam Recovery Orchestrator Hardcoded JWT Secret CVE-2024-29855 Attempt
• WooCommerce Email Verification Loose Comparison to Authentication Bypass Attempt
• XWiki Platform Template Injection CVE-2024-21650 RCE Attempt

‍

Community

• Request a New GreyNoise Tag - We've just published a new page to allow our amazing community to submit tag requests to the GreyNoise team. 
• ‍Try our Free Account - Quickly identify noisy scanners and trending attacks with our free plan.
• ‍Join our Community Slack and Discord- We share intel, give real time updates, and the occasional Dad joke. 

‍

Meme of the Month

*Have a joke you want included in the next NoiseLetter? Submit Your Joke >>

‍

Life @ GreyNoise

Not subscribed to our NoiseLetter? Subscribe here.