3 Billion Exploitation Attempts Target VPNs, Routers, and AI Servers in 2025

The second half of 2025 saw an unprecedented surge in internet-wide cyberattacks, with edge infrastructure absorbing the majority of malicious traffic. According to new data from GreyNoise, nearly 3 billion malicious sessions were recorded over just 162 days between July 23 and December 31, 2025.

That averages 212 malicious sessions per second — a staggering figure that highlights how aggressively threat actors are targeting systems exposed to the public internet.

VPNs, Routers, and Remote Access Services Lead Attack Targets

Most exploitation attempts were directed on consumer routers, Remote Desktop services, and enterprise VPN gear. Network boundary systems that, once penetrated, offer direct interior access were a major target for attackers.
Millions of fraudulent sessions were produced by major enterprise VPN solutions like Cisco, Fortinet, and Palo Alto Networks.

Notably, Palo Alto GlobalProtect emerged as the most targeted platform, with 16.7 million sessions recorded — surpassing Cisco and Fortinet SSL VPN traffic combined. Much of this activity involved large-scale login scanning and exploitation attempts tied to CVE-2020-2034, a long-standing PAN-OS injection vulnerability that remains active in attack campaigns.

On the consumer side, routers from MikroTik and ASUS were repeatedly probed. Meanwhile, SSH (Port 22) dominated all protocols, generating more than 639 million malicious sessions alone. Remote Desktop services also faced sustained credential spraying and brute-force attempts.

The concentration on VPN compromise reflects a clear strategy: gain initial access at the network edge, then pivot internally.

Infrastructure Clustering Creates Blocking Opportunities

Interestingly, malicious activity was heavily concentrated among a small group of hosting providers. One autonomous system — UCLOUD (ASN AS135377) — accounted for 392 million malicious sessions, or 14% of total observed traffic. That figure exceeded activity from major cloud platforms combined.

The top five ASNs were responsible for roughly 30% of all malicious sessions, creating opportunities for organizations to apply ASN-level blocking during active campaigns.

A similar clustering pattern was observed in exploitation attempts tied to CVE-2025-55182, a React Server Components remote code execution (RCE) flaw. Nearly half of related traffic originated from MEVSPACE (ASN AS201814). Shared JA4H fingerprints suggested centralized tooling behind thousands of distributed IP addresses.

Residential Botnets Bypass Traditional Security Controls

Credential spraying against U.S.-based Remote Desktop services escalated dramatically — expanding from 2,000 to 300,000 participating IP addresses in just 72 days.

Alarmingly, 73% of those IP addresses were residential, primarily located in Brazil and Argentina. Many showed no previous malicious history, reducing the effectiveness of IP reputation scoring and geo-blocking strategies.

Attackers dispersed login attempts among hundreds of thousands of household and small business connections rather than overpowering a target from a single source. Each IP can produce very little traffic thanks to this dispersed strategy, avoiding detection limits while preserving scale.

Fresh Infrastructure Fuels High-Severity Exploits

Higher-impact threats such as remote code execution (RCE), SQL injection, and authentication bypass attacks frequently originated from newly observed infrastructure. More than half of RCE traffic came from IP addresses not previously seen in sensor data.

This rotation strategy suggests threat actors are deliberately deploying fresh infrastructure for high-value attacks while using known assets for reconnaissance and lower-severity probing.

AI Servers Join the Expanding Edge Attack Surface

Large Language Model (LLM) infrastructure has now entered routine scanning cycles. Tens of thousands of sessions targeted Ollama inference servers, including coordinated endpoint enumeration campaigns.

Separate research revealed approximately 175,000 exposed Ollama servers across 100+ countries, many publicly advertising tool-calling APIs. As AI adoption accelerates, AI server security is rapidly becoming a new frontier in cybersecurity defense.

The Growing Importance of Edge Security in 2026

The scale, coordination, and infrastructure rotation observed in late 2025 confirm a critical reality: edge security is now central to cybersecurity strategy.

Internet-facing devices continue to be excellent targets for first access, including consumer routers, business VPNs, and AI inference servers. To combat increasingly dispersed and automated assault campaigns, organizations must bolster patch management, use multi-factor authentication (MFA), deploy real-time threat intelligence, and employ adaptive detection tactics.
The network edge is now the frontline in today’s threat scenario, not just a gateway.