Mass Internet Exploitation in 2024: A Rapidly Escalating Threat

In 2024, attackers didn’t just exploit vulnerabilities — they automated them at scale, turning the internet into a playground for mass exploitation. 

  • Attackers exploited vulnerabilities within hours of disclosure. 
  • 40% of exploited CVEs were at least four years old — some dating back to the 1990s. 
  • Ransomware groups leveraged nearly 30% of KEV-listed vulnerabilities that GreyNoise tracked. 

GreyNoise observed widespread internet scanning and exploitation attempts across thousands of IPs, showing how attackers are scaling operations faster than defenders can respond. 

DOWNLOAD FREE REPORT

The GreyNoise 2025 Mass Internet Exploitation Report provides a detailed breakdown of how mass exploitation evolved in 2024, which vulnerabilities were most targeted, and how CISOs and security professionals can stay ahead in 2025. 

Key Findings from the 2025 Mass Internet Exploitation Report

  • The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in cyberattacks. 
  • Legacy vulnerabilities remain among the most widely exploited, with attackers continuing to target publicly known flaws, sometimes dating back to the 1990s. 
  • GreyNoise observed multiple CVEs showing signs of exploitation before being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence. 
  • Ransomware groups leveraged 28% of KEV-listed vulnerabilities tracked by GreyNoise, showing mass exploitation is a key enabler of financially motivated attacks. 
  • A surge in May 2024 was traced to 12,000+ unique IPs involved in an exploitation event targeting Android devices. 

The Speed and Surprise of Mass Exploitation: New and Old CVEs Under Attack

This report confirms that mass exploitation is not just a zero-day problem — it’s a persistent issue across both new and old vulnerabilities. 

“Mass exploitation isn’t just about zero-days — it’s about attackers industrializing vulnerability exploitation at scale,” said Andrew Morris, Founder and Chief Architect at GreyNoise. "They care less about CVSS scores or KEV lists. They scan the entire internet — it’s quick and cheap to do — they find what’s exposed, and go after it immediately. This report shows just how fast and unpredictable mass exploitation really is — and why security teams need real-time intelligence to keep up.” 

Why This Matters Now

  • Most patching strategies can’t keep up — attackers automate exploits faster than teams can assess, prioritize, and deploy fixes. 
  • Mass exploitation is moving faster than traditional security workflows — organizations need real-time intelligence, not just alerts. 
  • Ransomware groups are automating attacks. Exploitation of known vulnerabilities remains a primary initial access method. 
  • Home routers and IoT devices are increasingly being exploited at scale. Many organizations fail to account for these attack surfaces. 

The Most Observed Exploitation Activity in 2024

Attackers aren’t just targeting newly disclosed vulnerabilities — many of the most exploited CVEs in 2024 are years old, proving that security teams must rethink patching priorities. 

GreyNoise tracked the most frequently observed vulnerability exploitation attempts across the internet in 2024. Some of the most targeted vulnerabilities included:

  • CVE-2018-10561 (GPON Router Worm) – 96,042 unique IPs
  • CVE-2014-8361 (Realtek Miniigd UPnP Worm) – 41,522 unique IPs
  • CVE-2016-6277 (NETGEAR Command Injection) – 40,597 unique IPs
  • CVE-2023-30891 (Tenda AC8 Router Exploit) – 29,620 unique IPs
  • CVE-2016-20016 (MVPower CCTV DVR RCE) – 17,496 unique IPs

These vulnerabilities were frequently targeted throughout 2024, often in large-scale scanning campaigns, botnet-building operations, or ransomware-driven attacks. 

GET THE FULL IN-DEPTH ANALYSIS

Defensive Takeaways for 2025

The 2025 Mass Internet Exploitation Report confirms that:

  • Mass exploitation begins rapidly after disclosure, making real-time intelligence critical for prioritization. 
  • Legacy vulnerabilities remain prime targets, often exploited alongside newer flaws. 
  • Security teams need real-time exploitation intelligence to make informed decisions. 

DOWNLOAD FREE REPORT

— — —

Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account