Edge Systems Under Siege: Mitigating Internet-Wide Exploitation Attempts

Post Views: 16

Internet-Facing Systems Bear the Brunt of Widespread Exploitation Attempts

A recent analysis of malicious activity on the internet has revealed that edge systems, including VPNs, routers, and remote access services, have been subjected to a staggering number of exploitation attempts. Between July 23 and December 31, 2025, nearly 3 billion malicious sessions were recorded across sensors in over 80 countries, with an average of 212 malicious sessions per second.

Targeted Systems

The data, collected by GreyNoise, shows that attackers are increasingly targeting edge infrastructure as a means of gaining initial access to networks. Enterprise VPN platforms, such as those offered by Palo Alto Networks, Cisco, and Fortinet, were among the most heavily targeted, with millions of sessions recorded. Consumer routers, including those manufactured by MikroTik and ASUS, also saw significant activity, as did Remote Desktop services.

SSH Activity

SSH activity was particularly pronounced, with over 639 million sessions recorded on port 22 alone. Router management interfaces, including those used by MikroTik, were also targeted, with tens of millions of sessions detected. Palo Alto’s GlobalProtect platform emerged as a primary target, with 16.7 million sessions recorded, including large-scale login scanning and exploitation attempts against a known PAN-OS injection flaw.

Malicious Activity Concentration

The concentration of malicious activity around specific hosting providers and autonomous systems presents opportunities for coarse-grained blocking. For example, UCLOUD, ASN AS135377, was responsible for 392 million malicious sessions, representing 14% of all observed activity. The top five autonomous systems accounted for approximately 30% of all malicious sessions.

Exploitation of Vulnerabilities

The exploitation of specific vulnerabilities, such as CVE-2025-55182, a React Server Components remote code execution flaw, also showed a high degree of clustering. In this case, 44.5% of sessions originated from MEVSPACE, ASN AS201814, with two JA4H fingerprints accounting for 73% of traffic. This suggests that attackers are using shared tooling across thousands of IP addresses.

Residential Botnet Activity

A significant increase in residential botnet activity has also been observed, with credential spraying against U.S. Remote Desktop services expanding from 2,000 to 300,000 participating IP addresses over a 72-day period. The majority of these IPs were classified as residential, primarily located in Brazil and Argentina. The campaign relied on geographically distributed home and small business connections, with many IPs carrying no prior malicious history.

Infrastructure Rotation

The use of fresh infrastructure to support high-severity attacks is also on the rise. More than half of remote code execution traffic originated from previously unseen IP addresses, while SQL injection and authentication bypass activity showed a similar pattern. This suggests that attackers are routinely rotating their infrastructure to achieve code execution or bypass authentication controls.

AI Infrastructure

Finally, the increasing use of AI infrastructure has expanded the edge attack surface. LLM inference servers, such as those offered by Ollama, have entered routine scanning cycles, with tens of thousands of sessions targeting these servers over a four-month period. Separate research has identified approximately 175,000 exposed Ollama servers across more than 100 countries, many of which advertise tool-calling features through public APIs.