GreyNoise Report: Exploitation Surges Often Precede Vulnerability Disclosures by Weeks
A recent report from threat intelligence firm GreyNoise reveals that hackers frequently begin exploiting software vulnerabilities before vendors publicly disclose them sometimes weeks in advance. Analyzing attack patterns between mid-December 2025 and late March 2026, GreyNoise found that nearly half of all scanning and exploitation surges targeting specific products were followed by vulnerability disclosures within three weeks.
The median time between a surge in malicious activity and a vendor’s disclosure was 11 days, offering organizations a potential early warning to patch or harden systems. Of the 42 scanning events observed, 57% led to disclosures, while 56% of brute-force attempts and 42% of remote-code-execution (RCE) probes also preceded public CVEs.
The report highlights distinct patterns in attacker behavior:
- Scanning activity was widely dispersed, with many IP addresses conducting a few sessions each likely broad reconnaissance.
- Later-stage attacks (brute-force and RCE) were more concentrated, with fewer IPs generating high session volumes, suggesting targeted exploitation.
- High-severity flaws generated the most probing activity, with some exploitation detected up to 39 days before disclosure.
Notable examples include:
- A Cisco vulnerability exploited in five surges over 18 days before disclosure, with IP activity dropping but session counts rising a shift from reconnaissance to focused attacks.
- Juniper, SonicWall, and Ivanti flaws also saw early exploitation, with one Ivanti flaw targeted 36 days prior to disclosure.
GreyNoise’s findings underscore that exploitation surges can serve as an early indicator of undisclosed vulnerabilities, particularly for critical infrastructure vendors. The data suggests that organizations monitoring such activity may gain a critical window to mitigate risks before patches are available.
Source: https://www.cybersecuritydive.com/news/vulnerability-disclosure-surges-warnings-greynoise/817952/
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
Cisco Talos cybersecurity rating report: https://www.rankiteo.com/company/cisco-talos-intelligence-group
"id": "IVASONCIS1776702475",
"linkid": "ivanti, sonicwall, cisco-talos-intelligence-group",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Networking',
'name': 'Cisco',
'type': 'Vendor'},
{'industry': 'Technology/Networking',
'name': 'Juniper',
'type': 'Vendor'},
{'industry': 'Technology/Cybersecurity',
'name': 'SonicWall',
'type': 'Vendor'},
{'industry': 'Technology/Cybersecurity',
'name': 'Ivanti',
'type': 'Vendor'}],
'attack_vector': ['Network scanning', 'Brute-force', 'RCE probes'],
'date_detected': '2025-12-15',
'date_publicly_disclosed': '2026-03-31',
'description': 'GreyNoise report reveals hackers frequently exploit software '
'vulnerabilities weeks before vendors publicly disclose them. '
'Analysis of attack patterns between mid-December 2025 and '
'late March 2026 shows nearly half of scanning/exploitation '
'surges were followed by vulnerability disclosures within '
'three weeks. The median time between surge and disclosure was '
'11 days. Notable examples include Cisco, Juniper, SonicWall, '
'and Ivanti flaws targeted up to 39 days prior to disclosure.',
'investigation_status': 'Completed (Report Published)',
'lessons_learned': 'Exploitation surges can serve as an early indicator of '
'undisclosed vulnerabilities, particularly for critical '
'infrastructure vendors. Organizations monitoring such '
'activity may gain a critical window to mitigate risks '
'before patches are available.',
'motivation': ['Exploitation of undisclosed vulnerabilities',
'Data exfiltration',
'Targeted attacks'],
'post_incident_analysis': {'root_causes': 'Hackers exploit vulnerabilities '
'before public disclosure, often '
'weeks in advance. Attackers shift '
'from broad reconnaissance to '
'targeted exploitation as '
'vulnerabilities near disclosure.'},
'recommendations': ['Monitor scanning and exploitation surges for early '
'warning of undisclosed vulnerabilities',
'Prioritize patching for high-severity flaws',
'Implement enhanced monitoring for critical systems'],
'references': [{'date_accessed': '2026-03-31', 'source': 'GreyNoise Report'}],
'response': {'enhanced_monitoring': 'Monitoring exploitation surges for early '
'warning'},
'title': 'Exploitation Surges Preceding Vulnerability Disclosures (Dec 2025 - '
'Mar 2026)',
'type': ['Zero-day exploitation',
'Reconnaissance',
'Brute-force attack',
'Remote Code Execution (RCE)'],
'vulnerability_exploited': ['Undisclosed vulnerabilities',
'High-severity flaws']}