3 Billion Attacks Target VPNs, Routers & Remote Access in 2025

by Anika Shah - Technology
0 comments

State of the Edge: VPNs, Routers Under Sustained Attack

Internet-facing VPNs, routers, and remote access services faced relentless exploitation attempts throughout the second half of 2025, with nearly 3 billion malicious sessions recorded over 162 days. This sustained targeting underscores the critical importance of securing network edges against persistent threats.

GreyNoise 2026 State of the Edge Report Findings

GreyNoise’s “2026 State of the Edge Report” analyzed 2.97 billion sessions observed between July 23 and December 31, 2025, using sensors deployed across more than 80 countries [GreyNoise Press Release]. Activity averaged approximately 212 malicious sessions per second during this period.

Edge Infrastructure as a Prime Target

VPN appliances, consumer routers, and remote access services were central to observed exploitation traffic. Enterprise VPN platforms, including Palo Alto Networks, Cisco, and Fortinet, generated millions of sessions. Consumer routers from manufacturers like MikroTik and ASUS similarly experienced consistent probing, alongside significant activity targeting Remote Desktop services.

SSH activity was dominant, with port 22 alone accounting for over 639 million sessions during the observation period. Router management interfaces also drew sustained attention, with tens of millions of sessions targeting MikroTik services.

Palo Alto GlobalProtect Under Intense Scrutiny

Palo Alto GlobalProtect emerged as a primary target, with sensors recording 16.7 million sessions directed at Palo Alto infrastructure – exceeding combined traffic to Cisco and Fortinet SSL VPNs [GreyNoise Blog]. This activity included large-scale login scanning and exploitation attempts targeting CVE-2020-2034, a PAN-OS injection flaw that continues to be exploited.

Infrastructure Concentration and Blocking Opportunities

Malicious traffic heavily clustered around a limited number of hosting providers. UCLOUD (ASN AS135377) generated 392 million malicious sessions, representing 14% of all observed activity, surpassing the combined volume from AWS and Azure [GreyNoise Press Release]. The top five autonomous systems accounted for roughly 30% of all malicious sessions, presenting opportunities for coarse-grained blocking during active campaigns.

Exploitation of CVE-2025-55182, a React Server Components remote code execution flaw, also showed concentration. 44.5% of the 5.93 million sessions linked to this vulnerability originated from MEVSPACE (ASN AS201814), with two JA4H fingerprints accounting for 73% of the traffic.

Residential Botnets and Evolving Tactics

Credential spraying attacks against U.S. Remote Desktop services expanded rapidly, growing from 2,000 to 300,000 participating IP addresses in 72 days. A significant 73% of these IPs were classified as residential, primarily located in Brazil and Argentina.

These campaigns leveraged geographically distributed home and small business connections, often utilizing IPs with no prior malicious history. Consistent client signatures across thousands of sources indicated centralized coordination, reducing the effectiveness of traditional blocking methods like geographic filtering and static IP blocklists.

Fresh Infrastructure and High-Severity Attacks

Higher-impact exploitation attempts frequently originated from previously unseen infrastructure. Over half of remote code execution traffic came from IP addresses with no prior record in GreyNoise’s data. SQL injection and authentication bypass activity exhibited a similar pattern, with a substantial portion sourced from modern infrastructure.

AI Infrastructure Enters the Attack Surface

LLM inference servers are now being routinely scanned. Tens of thousands of sessions targeted Ollama servers over a four-month period, including a concentrated enumeration campaign probing dozens of model endpoints [GreyNoise Blog]. Approximately 175,000 exposed Ollama servers were identified across more than 100 countries, many advertising tool-calling features through public APIs.

The findings from the GreyNoise 2026 State of the Edge Report highlight the need for organizations to prioritize the security of their network edges and adapt their defenses to address the evolving tactics of attackers.

Related Posts

Leave a Comment