The cybersecurity landscape of 2024 witnessed an unprecedented increase in mass internet exploitation, driven by attackers’ ability to automate vulnerability exploits within hours of disclosure.
GreyNoise’s 2025 Mass Internet Exploitation Report reveals a systematic industrialization of cyberattacks, with threat actors leveraging both cutting-edge and decades-old vulnerabilities to compromise systems at scale.
From ransomware campaigns to botnet-driven assaults, adversaries demonstrated alarming efficiency in weaponizing flaws faster than defenders could remediate them, underscoring systemic weaknesses in global patch management strategies.
In 2024, attackers operated at machine speed, with researchers observing exploitation attempts for critical vulnerabilities within 4–6 hours of public disclosure.
This automation extended beyond zero-day flaws; 40% of exploited CVEs were at least four years old, including vulnerabilities dating to the 1990s.
For example, CVE-2014-8361, a Realtek Miniigd UPnP flaw first patched in 2015, remained one of the most targeted entry points, with 41,522 unique IPs observed exploiting it to deploy cryptojacking payloads.
Ransomware collectives accounted for 28% of attacks leveraging vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, often weaponizing flaws before their formal KEV designation.
The May 2024 surge, attributed to 12,000+ IPs targeting Android devices via CVE-2023-4863, exemplified how attackers coordinate mass exploitation across geographies and device types.
Attackers Automating Vulnerability Exploits
Despite advances in vulnerability management, legacy systems proved critical weak points. The CVE-2018-10561 GPON router worm, first disclosed in 2018, resurfaced as the most exploited vulnerability of 2024, with 96,042 unique IPs hijacking routers to build botnets for DDoS attacks.
Similarly, CVE-2016-20016, a 2016 flaw in MVPower CCTV DVRs, allowed attackers to compromise 17,496 devices and exfiltrate footage for extortion campaigns.
Andrew Morris, GreyNoise’s Founder, noted: “They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately”.
This economic calculus explains why 32% of observed exploits targeted IoT devices, particularly home routers like the Tenda AC8 (CVE-2023-30891), which suffered 29,620 exploitation attempts.
Ransomware groups increasingly relied on automated exploitation tools to gain initial access.
The LockBit 3.0 syndicate, for instance, weaponized CVE-2023-34362 (a MOVEit Transfer SQLi flaw) within 72 hours of disclosure, breaching 2,300 organizations by exploiting unpatched instances.
GreyNoise data showed that 67% of ransomware-linked IPs targeted vulnerabilities older than two years, exploiting lagging patch cycles in sectors like healthcare and education.
The report emphasizes three critical shifts for defenders:
Real-Time Threat Intelligence: Traditional vulnerability management cycles (often 30–90 days) are obsolete. Solutions like GreyNoise’s telemetry platform, which detects scanning activity within minutes, are essential for prioritization.
Legacy System Audits: Organizations must inventory and segment outdated devices, particularly IoT and network infrastructure, to reduce attack surfaces.
Automated Patch Deployment: AI-driven patch management systems reduced mean time to remediation (MTTR) by 58% in early adopters, mitigating risks during critical windows.
The 2024 exploitation surge underscores a stark reality: cybersecurity is no longer a battle of stealth but of speed.
With ransomware collectives and state-backed groups investing heavily in automation, the 2025 Mass Internet Exploitation Report serves as both a warning and a roadmap urging organizations to abandon reactive strategies in favor of real-time, data-driven defense mechanisms.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.