Analysis of Nearly 3 Billion Malicious Sessions Quantifies Sustained Exploitation of VPN Appliances, Routers, and Remote Access Services
WASHINGTON, Feb. 24, 2026 /PRNewswire-PRWeb/ -- GreyNoise Intelligence, the cybersecurity company providing real-time intelligence about network-based attacks, today released the "2026 GreyNoise State of the Edge Report," a comprehensive analysis of malicious activity targeting the network edge. Based on nearly 3 billion malicious sessions observed targeting internet-facing infrastructure over 162 days, the report quantifies the sustained, systematic exploitation of VPN appliances, routers, and remote access services—and identifies critical gaps in how organizations currently defend the network edge.
"This report provides a strategic assessment of the threat landscape based on GreyNoise sensor data, along with the deep analysis and data-based insights security leaders need," said Bob Rudis, VP of Data Science + Research at GreyNoise Intelligence. "It quantifies what's hitting the edge, and what defenders can do to best protect their networks against the sustained volume and velocity of attacks we observed."
For this research, GreyNoise analyzed all sessions observed by its Global Observation Grid of sensors deployed across 80+ countries between July 23 and December 31, 2025. The dataset encompasses 2,969,010,478 malicious sessions from 3,804,232 unique source IPs targeting internet-facing infrastructure, excluding known benign scanners and spoofable traffic. The data reveals a clear pattern: VPN appliances, firewalls, and routers absorb sustained, systematic exploitation attempts at a scale that demands attention.
Edge infrastructure absorbs more targeting than most internal systems—a pattern independently confirmed across multiple sources. The Verizon 2025 DBIR documented an 8× increase in edge device exploitation (3% to 22% of breaches) in a single year. Mandiant M-Trends 2025 found that the four most frequently exploited vulnerabilities were all in edge devices. CISA, NSA, and Five Eyes partners issued joint guidance specifically addressing edge device security, and CISA's Binding Operational Directive 26-02 requires federal agencies to identify and replace end-of-support edge devices due to sustained exploitation of legacy infrastructure.
The report is organized around five key questions, to help defenders determine what to prioritize over the next six months:
- Is overall risk increasing, and if so, what changed?
- How much activity is opportunistic noise versus focused targeting?
- Which vulnerabilities drove the most meaningful activity?
- What does this data say about current security controls?
- What should CISOs prioritize over the next 90–180 days?
Key findings from the report include:
Palo Alto GlobalProtect received more than 3.5x the attack traffic of Cisco and Fortinet combined. GreyNoise observed 16.7 million sessions targeting Palo Alto Networks infrastructure, compared to 3.0 million for Cisco SSL VPN and 1.6 million for Fortinet SSL VPN.
52% of remote code execution attempts came from IPs with no prior GreyNoise history. For remote code execution—widely considered the highest-severity exploitation category—GreyNoise had no prior record of more than half the attacking IPs. This data suggests that reputation-based approaches have structural coverage limitations for the highest-severity attacks.
A sustained credential-spraying botnet targeting US Remote Desktop services grew from 2,000 to 300,000 IPs in 72 days. Participating IPs grew 150-fold over 72 days, with 73% classified as residential connections from Brazil and Argentina. These IPs had no prior history in GreyNoise data, and their residential classification and geographic distribution exhibited characteristics that would defeat geographic blocking, reputation scoring, rate limiting, and IP blocklists.
Pre-2015 CVEs generated 4x more exploitation traffic than 2023–2024 CVEs. Vulnerabilities more than a decade old—including Shellshock, PHP-CGI, and Oracle WebLogic flaws—collectively generated 7.3 million sessions, compared to 1.8 million for CVEs disclosed in 2023–2024. CVE-1999-0526, a 26-year-old X Server vulnerability, accounts for the majority of pre-2015 volume, though Shellshock and PHP-CGI also continue generating measurable traffic a decade later. The data indicates a gap between where patching effort concentrates and where exploitation volume concentrates.
A single hosting provider accounted for more malicious traffic than AWS and Azure combined. UCLOUD (AS135377) accounted for 392 million sessions—14% of all observed malicious traffic—exceeding AWS (80 million) and Azure (59 million) combined. Similarly, during the exploitation campaign that GreyNoise tracks as React2Shell (CVE-2025-55182), 44.5% of 5.93 million sessions originated from a single provider, MEVSPACE. These concentration patterns create actionable blocking opportunities for defenders.
Scanning infrastructure is now cataloging exposed AI endpoints. GreyNoise sensors observed 91,403 sessions targeting Ollama LLM inference servers between October 2025 and January 2026—including a single 11-day campaign (December 28 to January 8) that accounted for 80,469 of those sessions. With 175,000 Ollama servers identified as internet-exposed (SentinelLABS/Censys, January 2026), AI-serving infrastructure requires the same security posture as any internet-facing service.
"For government and critical infrastructure defenders, this data demands a strategic reassessment," said Nishawn Smagh, Director of Intelligence at GreyNoise Intelligence. "When adversaries can rotate through 300,000 residential IPs in 72 days and more than half of the most dangerous exploitation comes from previously unknown infrastructure, static defenses aren't keeping pace. Federal networks and critical infrastructure operators need sustained, real-time visibility into what's hitting the edge—not last week's threat feed. That's a posture shift, not a patch cycle."
"Hacking the user got hard — that's a good thing. But attackers didn't pack up and go home, they went right back to the edge. The devices facing the internet, including the ones that are supposed to protect them, have been neglected for decades. They lack basic security, they're easy to exploit, they're always on — and the time between a vulnerability going public and being exploited is basically zero," said Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence.
To download the full "2026 GreyNoise State of the Edge Report," please visit: https://www.greynoise.io/resources/2026-state-of-the-edge-report.
About GreyNoise
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing fresh, verifiable threat intelligence about systems at the network edge. This allows security teams to reduce noise in security operations, perform in-depth investigations and threat hunts, and focus on the most critical threats to their networks. Our Global Observation Grid enables us to observe and analyze threat actor campaigns at global scale and share this intelligence with customers in real-time.
For more information, please visit https://www.greynoise.io/, and follow us on Twitter and LinkedIn.
Media Contact
Ruoting Stone, GreyNoise Intelligence, 1 202-630-2906, [email protected], https://www.greynoise.io/
Rebecca West, Helium Communications, 1 415-260-6094, [email protected], https://www.heliumcommunications.com/
SOURCE GreyNoise Intelligence
Share this article