Attackers from every corner of the internet are exploiting a uniquely dangerous class of cyber flaws: resurgent vulnerabilities.
These aren’t being exploited as zero-days — and spikes in activity rarely make headlines. They’re older flaws that quietly return to relevance as attacker interest reignites. Some were deprioritized years ago. Others were never seen as serious. But today, they’re being opportunistically exploited at scale, often in edge technologies like firewalls, routers, and VPNs — the very internet-facing assets attackers use for initial access and persistence.
GreyNoise’s latest research breaks down these vulnerabilities — how they behave, why they’re dangerous, and what defenders and policymakers need to know to stay ahead.
Key Takeaways:
- Resurgent vulnerabilities fall into three distinct behavioral categories: Utility, Periodic, and Black Swan. Each category has unique exploitation patterns, with Black Swan being the most unpredictable.
- Over half of the top exploited resurgent CVEs and nearly 70% of Black Swan vulnerabilities affect edge technologies, such as routers and VPNs — the very technologies attackers use for initial access and persistence.
- Some CVEs are first exploited years after disclosure, creating long-standing blind spots in many patching programs.
- Resurgent exploitation often arrives without warning, underscoring the need for adaptive patch management and dynamic blocking strategies that account for dormant but dangerous vulnerabilities.
- Government and private threat intelligence providers have reported state-sponsored exploitation of old vulnerabilities. GreyNoise Intelligence continues to observe widespread opportunistic activity against many of the same flaws.
Inside the report:
- A new framework for understanding how vulnerabilities resurface.
- Behavioral patterns of resurgence — and what they mean for defenders.
- Visuals and examples of resurgent CVEs exploited at scale.
- Tactical insights for security professionals and policymakers to improve patch prioritization, dynamic blocking, and risk mitigation.
Download the full report and prepare before the next wave hits.
— — —
Noah Stone contributed to this writeup in collaboration with GreyNoise Research. Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
