GreyNoise finds attacker activity surges before vulnerability disclosures | news | SC Media - SC Media

Major network device vulnerability disclosures are often preceded by surges of attacker activity targeting the same vendor, GreyNoise revealed in a report published Monday. GreyNoise examined 147.8 million sessions of scanning and exploit activity targeting 18 edge device vendors between Dec. 14, 2025, and March 27, 2026, finding that about half of all activity spikes preceded a CVE disclosure within three weeks — 36% more than would normally occur by chance. The media lead time was found to be 11 days. “For a defender, this is a head start. Eleven days is enough time to brief leadership, stage a patch, and harden exposed systems before the rest of the world learns the vulnerability exists,” GreyNoise wrote in the report titled “Ten Days Before Zero.” The researchers said that attackers may discover vulnerabilities as zero days through several means, such as patch diffing, insider access or independent discovery in parallel with security researchers probing the same popular products. In one example, the Cisco Catalyst SD-WAN Controller zero-day tracked as CVE-2026-20127, which was disclosed on Feb. 25, 2026, and has a CVSS score of 10.0, was preceded by five activity surges within 18 days of the disclosure. The flaw was ultimately the subject of an urgent Five Eyes alliance advisory and emergency directive by the Cybersecurity and Infrastructure Security Agency (CISA). Related reading: Critical Oracle Identity Manager RCE flaw revealed, PoC published Responsible vulnerability disclosure in 2025: Why the debate still matters Critical Langflow RCE vulnerability exploited within 20 hours GreyNoise described the preceding attacker activity as a “compressed escalation,” with the first surge on Feb. 7, two on Feb. 16, one on Feb. 19 and one on Feb. 23 just two days before disclosure. Additionally, the activity began with fewer sessions spread out across several IPs, but later saw session volumes spike and unique IPs drop by 81% to 95%, “consistent with a shift from broad reconnaissance to dedicated operators hammering specific targets,” GreyNoise said. The researchers saw a similar pattern within 19 days preceding the disclosure of the SonicWall SonicOS vulnerability CVE-2026-0400. Other major vendors, including Ivanti, HPE/Dell, MikroTik, TP-Link, Fortinet and D-Link/DrayTek, were noted in report case studies highlighting pre-disclosure activity, with some seeing surges across multiple CVEs. The most common activity seen in these pre-disclosure surges was scanning — seen in 42 of the 104 observed activity spikes — followed by brute forcing — seen in 18 surges — and RCE attempts — seen in 12 surges. The mean lead time was 12.1 days for scanning activity, nine days for RCE attempts and 7.8 days for brute forcing. “Scanners remain the strongest early-warning signal: they pair most often and provide the longest average lead time overall. Brute-force surges pair at a similar rate but with a shorter lead, consistent with later-stage activity,” GreyNoise stated. With exploitation of vulnerabilities in network devices increasing eight-fold between 2024 and 2025, according to the 2025 Verizon Data Breach Investigation Report (DBIR), and the top four exploited CVEs being in edge devices, according to the Mandiant M-Trends 2025 report, GreyNoise said defenders need to act faster than ever to address these vulnerabilities. Defenders could use sudden surges in scanning or exploitation activity targeting their network devices to better inform their responses and prepare for potential zero-day revelations, GreyNoise suggested, although the researchers warned to treat these findings as a “hypotheses worth investigating, not as validated detection logic,” the report stated. For example, a “compression countdown” of activity surges with shrinking intervals could signal a potential escalation warranting increased monitoring priority, the report says, while a simultaneous spike in both session and IP volume may lead an organization to consider early patch staging. An increase in session-per-IP ratio suggests more concentrated targeting, potentially creating a need for organizations to restrict access to targeted interfaces, while sustained surges over eight or more days could signal a potential incident to be investigated, the report concludes.