Grey Noise

Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813, a newly disclosed vulnerability that, if successfully exploited, could enable remote code execution (RCE). GreyNoise has identified multiple IPs engaging in this activity across multiple regions. 

GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities: "Resurgence of in-the-wild Activity targeting critical ServiceNow vulns. Overwhelming majority of traffic hitting Israel.

GreyNoise observed 400+ IPs exploiting multiple SSRF vulnerabilities across various platforms, with recent activity concentrated in Israel and the Netherlands.

‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. 

‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. 

Silk Typhoon-linked CVEs are under active exploitation. GreyNoise observed 90+ threat IPs exploiting them in the past 24 hours, following Microsoft’s report on the group's evolving tactics.

On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild.

A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs). 

Attackers are automating exploitation at scale, targeting both new and old vulnerabilities — some before appearing in KEV. Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass exploitation, and why real-time intelligence is critical.

Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs (Source: VulnCheck). GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours. Notably, CVE-2023-6875 is being exploited despite not appearing in CISA’s KEV catalog — reinforcing the need for real-time intelligence beyond static lists.

GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These CVEs were referenced in recent reports on Salt Typhoon, a Chinese state-sponsored threat group, though GreyNoise is not attributing the observed exploitation to Salt Typhoon.

GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.

GreyNoise has detected a surge in exploitation attempts for two vulnerabilities—one flagged as a top target by government agencies and another flying under the radar despite real-world attacks. See the latest exploitation trends and why real-time intelligence is essential for risk management.

This blog details how attackers are actively exploiting Fortinet FortiGate firewalls vulnerable to CVE-2022-40684, with real-time insights from GreyNoise to help defenders understand and respond to these threats.

CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE devices, impacting 1,500+ exposed systems. No patch is available yet.

Discover whether your team truly needs a threat intelligence feed with our unbiased white paper. This practical guide helps cybersecurity professionals assess their needs, identify gaps, and confidently evaluate options for a tailored, effective cyber defense strategy.

A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners found new nodes within 5 minutes, with ONYPHE leading in first contacts.

Attackers exploit vulnerabilities within hours of PoC releases. Learn how GreyNoise provides real-time intelligence to detect and disrupt threats, helping defenders respond faster and stay ahead of evolving risks.

Discover why over 220 cybersecurity professionals ranked effective communication as the most undervalued skill in the industry. A Storm⚡️Watch podcast poll revealed the critical role "soft skills" play in bridging technical complexity with business needs. Explore real-world stories from industry experts who honed their communication abilities, from simplifying incident reports for executives to adapting technical messages for diverse audiences. Learn how emotional intelligence, adaptability, and clarity drive collaboration and success in cybersecurity. Dive into the full discussion for actionable insights on mastering this essential skill.

A new Censys report found 145,000 exposed ICSs and thousands of insecure human-machine interfaces (HMIs), providing attackers with an accessible path to disrupt critical operations. Real-world examples underscore the danger, with Iranian and Russian-backed hackers exploiting HMIs to manipulate water systems in Pennsylvania and Texas. GreyNoise research further highlights the urgency: attackers are actively scanning for HMIs and prioritizing Remote Access Services (RAS) over complex ICS protocols, making these easily accessible entry points prime targets for exploitation.