GreyNoise
-
In-the-wild exploitation observed for critical BeyondTrust RCE CVE-2026-1731
Researchers observed overnight exploitation attempts for CVE-2026-1731 targeting BeyondTrust Remote Support and Privileged Remote Access. The flaw is rated CVSS 9.9. Patches are available for affected versions and administrators should apply updates immediately.
-
Cisco warns of active exploitation of AsyncOS zero-day by China-nexus APT
Cisco warned that a maximum-severity AsyncOS zero-day (CVE-2025-20393) is being actively exploited by a China-nexus APT, targeting Secure Email Gateway and Secure Email and Web Manager appliances; exploitation requires the Spam Quarantine feature to be exposed to the internet, and Cisco, CISA and other firms have issued mitigations and alerts.
-
Trend Micro: RondoDox botnet campaign expands to exploit more than 50 flaws across 30 vendors
Trend Micro said RondoDox campaigns have widened to exploit more than 50 vulnerabilities across over 30 vendors, using a loader-as-a-service model that bundles RondoDox with Mirai and Morte, and researchers linked the activity to large-scale botnet operations and coordinated RDP attacks.
-
Researchers report surge in scans targeting Palo Alto Networks login portals
GreyNoise reported a roughly 500% rise in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS profiles, peaking at over 1,285 addresses on Oct. 3; GreyNoise classed most IPs as suspicious and also flagged separate Grafana exploitation attempts tied to CVE-2021-43798.
-
Coordinated Cyber Attacks Target Tomcat Manager Interfaces
GreyNoise has warned of a surge in coordinated brute-force attacks targeting Apache Tomcat Manager interfaces, involving 295 unique malicious IP addresses. As attackers seek to exploit these vulnerabilities, experts recommend strengthening security measures to protect against unauthorized access.
-
Coordinated Scanning Operation Targets Exposed Systems in Japan
A recent coordinated reconnaissance campaign involving 251 malicious IP addresses aims at exploiting vulnerabilities in web infrastructure, according to cybersecurity firm GreyNoise. The firm warns that organizations should take immediate action to block these IPs to reduce exposure.
