Grey Noise

Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks GlobalProtect services.

GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.

GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.

Your home network might be part of someone else’s attack. GreyNoise IP Check shows if your IP’s been caught scanning the internet—free and private.

GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances.

GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.

GreyNoise customers can turn any GreyNoise query directly into a real-time blocklist for their firewall, SOAR, or other enforcement points.

EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running.

GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet — revealing how attackers interact with this new layer of AI infrastructure.

From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs.

At GreyNoise, our sensors attract attackers so you don’t have to. We take the hits, learn from every attack, and share insights so you stay safe.

In his new role at GreyNoise, Smagh will serve as the principal liaison to government and enterprise partners, enhancing their ability to detect, understand and respond to cyber threats by leveraging GreyNoise capabilities.

GreyNoise reports attackers using rotating IPs to exploit Microsoft RDP timing vulnerabilities, targeting RD Web Access and RDP login enumeration to evade detection.

Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing.

Discover why traditional blocklists fail and how GreyNoise Block offers real-time, configurable, low-noise IP blocking powered by primary-sourced intelligence.

Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States.

Learn how GreyNoise Feeds enable real-time, event-driven threat intelligence that eliminates polling delays—helping defenders react instantly to new exploits, IP threats, and zero-day activity.

On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters.

GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious.