🎯Basically, attackers often start probing for weaknesses before new security flaws are announced.
What Happened
GreyNoise has uncovered a concerning trend: attacker activity surges significantly before major vulnerability disclosures. Analyzing 147.8 million scanning and exploit sessions targeting 18 edge device vendors from December 14, 2025, to March 27, 2026, they found that nearly 50% of activity spikes occurred within three weeks prior to a Common Vulnerabilities and Exposures (CVE) disclosure. This is a staggering 36% increase compared to what would typically be expected by chance.
Who's Affected
The report highlights a range of vendors, including Cisco, SonicWall, Ivanti, HPE/Dell, MikroTik, TP-Link, Fortinet, and D-Link/DrayTek. These organizations are at risk due to the increased exploitation of vulnerabilities in their products, particularly in edge devices, which have become prime targets for attackers.
What Data Was Exposed
One notable vulnerability discussed is the Cisco Catalyst SD-WAN Controller zero-day, tracked as CVE-2026-20127, which was disclosed on February 25, 2026. This vulnerability has a CVSS score of 10.0, indicating its critical severity. The report outlines that the activity leading to this disclosure included multiple surges, with the last spike occurring just two days before the official announcement.
What You Should Do
Defenders are urged to take proactive measures by monitoring for unusual spikes in scanning and exploit activity. GreyNoise suggests using these surges as early warning signals to prepare for potential vulnerabilities. Here are some recommended actions:
Containment
- 1.Monitor for scanning activity: Keep an eye out for sudden increases in scanning sessions targeting your network devices.
- 2.Stage patches early: Prepare patches in advance of disclosures to mitigate risks as soon as vulnerabilities are announced.
Remediation
Conclusion
As the exploitation of vulnerabilities in network devices has surged, defenders must adapt quickly. With attackers often discovering vulnerabilities before they are disclosed, having a strategy in place to respond to these early signs of activity can make all the difference in maintaining security. GreyNoise's findings serve as a crucial reminder of the need for vigilance in the face of evolving threats.
🔒 Pro insight: The findings highlight the necessity for proactive vulnerability management strategies, leveraging early detection of scanning activity to mitigate risks.
