Full Report
Four in ten flaws exploited by threat actors in 2024 were from 2020 or earlier, with some dating back to the 1990s, according to a GreyNoise report
Analysis Summary
This summary aggregates information presented in an article detailing exploitation trends observed by GreyNoise in 2024. Since the article focuses on general exploitation trends across multiple legacy and new vulnerabilities rather than a single, new vulnerability with a specific patch, the summary reflects the high-level findings and references specific examples mentioned.
If the article described a specific vulnerability (e.g., CVE-2018-10-561) in detail, the structure below would be fully populated for that single finding.
# Vulnerability: Mass Exploitation Trend of Legacy Vulnerabilities
## CVE Details
- CVE ID: Multiple (Specific examples: CVE-1999-0526, CVE-2018-10-561)
- CVSS Score: Not uniformly provided (General analysis of *most* exploited)
- CWE: Not uniformly provided
## Affected Systems
- Products: Home internet routers, customer-facing fiber modems. Vendors named include Dasan, Ivanti, D-Link, and VMware.
- Versions: Unspecified/Legacy versions susceptible to vulnerabilities dating back to the late 1990s (e.g., CVE-1999-0526).
- Configurations: Devices connected to the Internet, often consumer or small business hardware.
## Vulnerability Description
The report highlights that threat actors actively exploit a wide range of vulnerabilities, prioritizing flaws that remain unpatched for significant periods. In 2024, 40% of exploited vulnerabilities were from 2020 or earlier, with some dating back two decades (e.g., CVE-1999-0526). Attackers rapidly exploit newly disclosed CVEs, often within hours of disclosure, sometimes before they are listed on CISA's KEV catalog.
## Exploitation
- Status: **Exploited in the wild** (Across numerous CVEs, including legacy ones like CVE-2018-10-561, which was among the most exploited in 2024).
- Complexity: Varies, but high rates of exploitation suggest accessible vectors.
- Attack Vector: Primarily **Network** access utilized to achieve objectives like botnet expansion, crypto-mining, and initial access for ransomware.
## Impact
The impact varies by the specific vulnerability exploited, but general attributed objectives include:
- Confidentiality: Potential for **Data exfiltration**.
- Integrity: Potential for **Cryptocurrency mining** (unauthorized resource use) and system manipulation.
- Availability: Potential for **Botnet expansion** (resource hijacking) and disruption of service.
## Remediation
### Patches
- **Action Required:** Patching should prioritize vulnerabilities listed on the CISA KEV catalog, but also address older, highly exploited flaws.
- Specific patches referenced are vendor-dependent (e.g., patches for Dasan, Ivanti, D-Link, VMware products). CISA advises patching CVEs dating back to 2014.
### Workarounds
- No specific vendor workarounds were listed in the summary, but general strategies for unpatched systems would involve network segmentation, blocking unnecessary ports, and robust firewall rules.
## Detection
- **Indicators of Compromise (IoCs):** Not specified explicitly, but related to successful exploitation for botnet activity, crypto-mining, or ransomware deployment.
- **Detection Methods and Tools:** Monitoring network traffic for signs of attempted exploitation against known vulnerable services, and utilizing tools like GreyNoise to track active scanning and exploitation attempts against known CVEs. 29 vulnerabilities were exploited before being added to the CISA KEV catalog, suggesting proactive threat intelligence monitoring is key.
## References
- Vendor advisories for specific vendors mentioned (Dasan, Ivanti, D-Link, VMware).
- GreyNoise 2025 Mass Internet Exploitation Report (Link is `https://www.greynoise.io/blog/2025-mass-internet-exploitation-report`)
- Article Source: `https://www.infosecurity-magazine.com/news/old-vulnerabilities-widely/`