Old Vulnerabilities Among the Most Widely Exploited

In their quest for network access, cyber threat actors are leveraging a broad spectrum of vulnerabilities, from the most recently disclosed to those left unpatched for over two decades.

In its 2025 Mass Internet Exploitation Report, released on February 27, GreyNoise found that 40% of vulnerabilities exploited by attackers in 2024 were from 2020 or earlier and 10% from 2016 or earlier. Some even date back to the late 1990s, like CVE-1999-0526 – an X server vulnerability.

Some legacy vulnerabilities, like CVE-2018-10-561, an issue discovered on Dasan GPON home routers, remained the most exploited flaws in 2024.

Attackers Speed Up Exploitation

On the other end of the spectrum, attackers are also getting quicker at exploiting newly found CVEs, with exploitation observed within hours of disclosure in 2024.

Additionally, GreyNoise detected the exploitation of 29 vulnerabilities before they were added to the US Cybersecurity and Infrastructure Security’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

Ransomware groups – the primary source of vulnerability exploits – leveraged 28% of the CVEs added to CISA’s KEV catalog.

Where Vulnerabilities Are Being Exploited

A majority of the most exploited vulnerabilities in 2024 targeted home internet routers, including customer-facing fiber modems.

Ivanti, D-Link and VMware were among the providers with the most exploited vulnerabilities.

According to the GreyNoise researchers, the threat actors’ main objectives for exploiting vulnerabilities in 2024 included:

• Botnet expansion
• Cryptocurrency mining
• Initial access for ransomware deployment
• Data exfiltration operations
• Proxy service creation for further attacks