Network 'Background Noise' Could Be Early Warning of Edge-Device Vulnerabilities, Study Finds

Attackers rarely exploit edge-device vulnerabilities indiscriminately. Instead, they first assess the flaw’s reach and potential access before proceeding to data theft or operational disruption. This pre-attack surveillance and planning generates detectable signals—particularly spikes in traffic targeting specific vendors—which can serve as an early-warning system, often preceding public vulnerability disclosures.

According to research shared exclusively with CyberScoop by GreyNoise, roughly half of every activity surge detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks. Researchers found that the median warning of an impending vulnerability disclosure arrived nine days before the vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability. Within a few days or weeks—usually within the responsible disclosure timeline—a new very bad vulnerability comes out.”

GreyNoise emphasizes that even a single day of advance notice can provide defenders with a critical opportunity to thwart potential attacks before they materialize. During the study period, the company’s real-time network edge scanning platform identified 104 distinct activity surges across 18 vendors. These embedded systems—including routers, VPNs, firewalls, and other security devices—consistently rank among the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all. It hasn’t gotten bad enough for us to start taking the security of these devices seriously. It’s not bad enough for us to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked these traffic surges to a wave of vulnerabilities disclosed by major vendors, including:

• Cisco
• Palo Alto Networks
• Fortinet
• Ivanti
• HPE
• MicroTik
• TP-Link
• VMware
• Juniper
• F5
• Netgear

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise’s analysis breaks down traffic surges to measure both intensity and breadth. Session counts reveal how aggressively existing sources are targeting a specific vendor, while unique source IP counts indicate how widely new infrastructure is joining the activity. According to the report:

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation. When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming.”

The study aligns with findings from Verizon, Google Threat Intelligence Group, and Mandiant, emerging during what GreyNoise describes as “the most active period for edge-device vulnerabilities in history.”