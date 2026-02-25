Internet-facing VPNs, routers, and remote access services absorbed sustained exploitation attempts throughout the second half of 2025, with nearly 3 billion malicious sessions recorded over 162 days. The concentration on edge infrastructure aligns with how attackers pursue initial access across the public internet.

GreyNoise’s State of the Edge data set covers 2.97 billion sessions observed between July 23 and December 31, 2025, across sensors in more than 80 countries. Activity averaged roughly 212 malicious sessions per second during that period.

Edge infrastructure dominates targeting

VPN appliances, consumer routers, and remote access services accounted for a large share of observed exploitation traffic. Enterprise VPN platforms, including Palo Alto Networks, Cisco, and Fortinet, generated millions of sessions. Consumer routers such as MikroTik and ASUS devices also saw sustained probing, alongside heavy activity against Remote Desktop services.

SSH activity dwarfed every other protocol. Port 22 alone generated more than 639 million sessions during the observation period. Router management interfaces also drew sustained attention, including tens of millions of sessions against MikroTik services.

Palo Alto GlobalProtect emerged as a primary target. Sensors recorded 16.7 million sessions directed at Palo Alto infrastructure, exceeding Cisco and Fortinet SSL VPN traffic combined. Activity included large-scale login scanning and exploitation attempts against CVE-2020-2034, a PAN-OS injection flaw that remains in circulation.

The volume and focus show deliberate targeting of systems that sit at the network boundary. VPN compromise provides direct network access, placing edge devices at the center of internet-wide exploitation activity.

Infrastructure concentration creates blocking opportunities

Malicious traffic clustered heavily around a small number of hosting providers. UCLOUD, ASN AS135377, generated 392 million malicious sessions, representing 14% of all observed activity. That volume exceeded AWS and Azure combined.

The top five autonomous systems accounted for roughly 30% of all malicious sessions. Concentration at the ASN level enables coarse-grained blocking during active campaigns.

Exploitation of CVE-2025-55182, a React Server Components remote code execution flaw, showed similar clustering. Of 5.93 million sessions tied to that vulnerability, 44.5% originated from MEVSPACE, ASN AS201814. Two JA4H fingerprints accounted for 73% of traffic, indicating shared tooling across thousands of IP addresses.

Residential botnet growth bypasses source-based controls

Credential spraying against U.S. Remote Desktop services expanded from 2,000 to 300,000 participating IP addresses over 72 days. 73% of those IPs were classified as residential, largely in Brazil and Argentina.

The campaign relied on geographically distributed home and small business connections. Many IPs carried no prior malicious history. Traffic exhibited consistent client signatures across thousands of sources, indicating centralized coordination.

This scale reduces the effectiveness of geographic blocking, reputation scoring, and static IP blocklists. Each source can generate minimal traffic, spreading credential attempts across hundreds of thousands of nodes.

Fresh infrastructure supports high-severity attacks

Higher-impact exploitation attempts frequently originated from infrastructure with no prior history in the sensor data set. More than half of remote code execution traffic came from previously unseen IP addresses. SQL injection and authentication bypass activity showed a similar pattern, with a substantial share of traffic sourced from new infrastructure.

Lower-severity reconnaissance activity relied more heavily on known infrastructure. The distribution points to routine infrastructure rotation for attacks designed to achieve code execution or bypass authentication controls.

AI infrastructure joins the edge attack surface

LLM inference servers have entered routine scanning cycles. Tens of thousands of sessions targeted Ollama servers over a four-month period, including a concentrated enumeration campaign that probed dozens of model endpoints.

Separate research identified roughly 175,000 exposed Ollama servers across more than 100 countries, with many advertising tool-calling features through public APIs.