Attackers Exploit Flaws Weeks Before CVEs Are Published, Report Finds

Executive Summary

A new research report from internet intelligence company GreyNoise reveals that threat actors frequently begin exploiting software vulnerabilities weeks before they are publicly disclosed as a Common Vulnerability and Exposure (CVE). The study, analyzing internet-wide scanning and attack traffic, found a strong correlation between unexplained surges in activity targeting specific products and the subsequent announcement of a new vulnerability by the vendor. This pattern suggests that many 'zero-day' vulnerabilities are discovered and weaponized by attackers well in advance of the public, including the affected vendor and security community. For defenders, this finding is a double-edged sword: it confirms that attackers have a significant head start, but it also presents an opportunity. By monitoring for these anomalous traffic patterns, security teams can gain an early warning of an impending vulnerability disclosure and take proactive defensive measures.

Threat Overview

The report, published on April 20, 2026, analyzed activity from mid-December 2025 to late March 2026. It identified a recurring pattern where a spike in scanning or exploitation attempts targeting a specific vendor's products was a precursor to a CVE announcement. In about 50% of the cases studied, a surge in activity was followed by a relevant CVE disclosure within three weeks.

Key examples cited in the report include:

• A critical Cisco vulnerability was actively exploited for 39 days before its official disclosure.
• A major VMware flaw saw exploitation 36 days prior to its public announcement.
• A significant MikroTik vulnerability was being used in attacks 24 days in advance.

This pre-disclosure window gives attackers ample time to conduct reconnaissance, compromise targets, and establish persistence before defenders are even aware a vulnerability exists. The research also noted similar patterns for products from Juniper, SonicWall, and Ivanti, indicating this is a widespread phenomenon across the technology landscape.

Technical Analysis

The core of GreyNoise's research relies on analyzing mass scanning data from its global sensor network. The methodology involves:

1. Baseline Establishment: Continuously monitoring and baselining normal internet background noise and scanning traffic for thousands of products and services.
2. Anomaly Detection: Identifying statistically significant deviations from this baseline. A surge is flagged when scanning or attack traffic for a specific product (e.g., a SonicWall VPN) increases dramatically without a clear public explanation.
3. Correlation: Correlating these detected surges with subsequent CVE publications from the targeted vendors.

The threat actors involved in this pre-disclosure activity are likely a mix of sophisticated state-sponsored groups with vulnerability research capabilities and initial access brokers who discover or purchase zero-day exploits to sell to ransomware gangs. The initial activity often involves T1595 - Active Scanning to identify vulnerable instances across the internet, followed by exploitation using techniques like T1190 - Exploit Public-Facing Application.

Impact Assessment

The primary impact of this phenomenon is that traditional vulnerability management programs, which are often reactive and triggered by CVE announcements, are fundamentally behind the curve. By the time a patch is developed and an organization's patching cycle begins, attackers may have already been inside the network for weeks. This reality necessitates a shift towards more proactive, threat-informed defense strategies. Organizations that rely solely on waiting for CVEs and patches are exposed to a significant window of risk. The business impact includes a higher likelihood of successful breaches, longer attacker dwell times, and increased difficulty in scoping and remediating incidents because the initial point of entry may be obscured by the time the breach is discovered.

Detection & Response

Leveraging these findings requires a shift in security operations focus.

• Proactive Traffic Monitoring: Organizations should monitor inbound network traffic for unusual spikes in scanning or connection attempts targeting their public-facing appliances and services. This is a core principle of D3FEND Network Traffic Analysis (D3-NTA). Tools like GreyNoise or even internal flow data analysis can help identify these anomalies.
• High-Fidelity Alerting: When a surge in scanning is detected against a specific product (e.g., your Ivanti VPN), even without a known CVE, this should be treated as a high-fidelity alert. Security teams should immediately increase monitoring on those devices, check for signs of compromise, and prepare for a potential zero-day scenario.
• Threat Intelligence Integration: Consume threat intelligence that focuses on pre-CVE indicators. Services that report on anomalous internet scanning activity can provide the early warning needed to pivot defensive resources effectively.
• Assume Breach Mentality: When a CVE is finally announced for a product that was previously flagged with anomalous scanning, assume that those systems may already be compromised. Initiate incident response and threat hunting procedures immediately, rather than simply starting the patching process. This includes D3FEND Decoy Environment (D3-DE) deployment to detect lateral movement.

Mitigation

While it's impossible to patch a vulnerability that hasn't been disclosed, organizations can still take steps to mitigate the risk.

1. Reduce Attack Surface: Minimize the exposure of management interfaces for security appliances and other critical systems. Use a D3FEND Network Isolation (D3-NI) strategy to ensure they are not directly accessible from the internet.
2. Implement Compensating Controls: Use a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) in front of critical applications. While they may not have a specific signature for the zero-day, they can often block common exploit classes like SQL injection or path traversal.
3. Behavioral-Based Detection: Focus on detecting post-exploitation behavior rather than just the initial exploit. Monitor for unusual processes, network connections, or account activity on critical servers. This aligns with D3FEND Behavior Prevention on Endpoint (M1040).
4. Accelerate Patching for High-Risk Products: When a patch for a previously targeted product is released, it should be treated with the highest priority, as exploitation is not theoretical but has already been occurring.