In the weeks before technology vendors disclose new software vulnerabilities, hackers sometimes stumble upon the flaws and begin exploiting them prior to customers even knowing there’s a problem.
In a report published on Monday, the internet intelligence firm GreyNoise revealed that roughly half of the scanning and exploitation activity surges it tracked between mid-December 2025 and late March 2026 were followed, within the next three weeks, by vulnerability disclosures from the targeted vendors.
Nearly two-thirds of the activity surges led to vulnerability disclosures within six weeks, according to the report.
“Scanning and exploit activity targeting specific vendors consistently rose before those same vendors disclosed new CVEs,” GreyNoise said.
There was a surge of exploitation of a severe Cisco vulnerability — one that prompted a rare emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) — as early as 39 days before Cisco disclosed the flaw, according to the report. A similarly critical VMware vulnerability saw exploitation 36 days before disclosure, and a major MikroTik vulnerability saw exploitation 24 days before disclosure. GreyNoise also discovered similarly early exploitation of other high-severity flaws from Juniper, SonicWall and Ivanti.
In the case of the Cisco flaw, GreyNoise saw five exploitation surges over the final 18-day period preceding disclosure, with the number of IP addresses plummeting between surges, even as the number of sessions increased — a phenomenon GreyNoise said was “consistent with a shift from broad reconnaissance to dedicated operators hammering specific targets.”
One potential bright spot emerged from the data: “The highest-severity threats tend to generate substantial probing activity and meaningful lead times,” according to the report.
GreyNoise gathered its data by analyzing scans, brute-force login attempts, remote-code-execution probes and other attacks against products from 18 edge device and network infrastructure vendors over a 103-day period. The security firm evaluated both the volume (in terms of unique sessions) and the breadth (in terms of unique IP addresses) of the activity. Each multiday period of above-average activity targeting a specific product constituted a “spike event.”
An early warning
The median amount of time between a surge of exploitation and a vulnerability disclosure was 11 days, which GreyNoise noted could be a significant “head start” for companies that learned about the surge. (GreyNoise sells threat intelligence that includes information about such activity.) “Eleven days is enough time to brief leadership, stage a patch, and harden exposed systems before the rest of the world learns the vulnerability exists,” the company said.
Not all activity is equally predictive
GreyNoise’s report breaks down the type of activity that it observed in each surge and how often the targeted vendor later disclosed a vulnerability. The company saw 42 instances of scanning, with 57% of them leading to vulnerability disclosures; 18 brute-force attempts, with 56% leading to disclosures; and 12 attempts to execute remote code, with 42% leading to disclosures.
The techniques were associated with different lead times — scanning typically occurred further back from vulnerability disclosure than brute-force and remote-code-execution attempts, which GreyNoise noted was “consistent with later-stage activity, where attackers have already identified their targets and are trying to get in.”
Scanning was also more likely to be widely dispersed across IP addresses, with each one responsible for only a few sessions, whereas later-stage activity was more concentrated, with a small number of IP addresses each registering a large number of sessions.
