The digital landscape is witnessing an unprecedented rise in vulnerability scanning attacks targeting internet-connected devices, causing considerable concern among cybersecurity experts and users alike. According to F5 Labs’ February 2025 Sensor Intel Series report, there was an astonishing 91% increase in vulnerability scanning activities in 2024 compared to the previous year. This marks the largest year-over-year surge observed in recent history. This dramatic escalation affects a range of vulnerabilities and attack vectors, indicating that a broad spectrum of threats is at play. Despite initial investigations suggesting that the massive scanning for CVE-2023-1389, a TP-Link Archer AX21 router vulnerability, might be skewing the numbers, the overall volume of attacks remained significantly high even after isolating this specific threat.
The surge in attacks is particularly alarming for consumer-grade routers and IoT devices. These devices comprised a notable 42% of all identified CVE-related traffic, highlighting their vulnerability. Command injection vulnerabilities in consumer devices are notably exploited, with CVE-2024-3721, affecting TBK DVR models, showing a sharp increase in targeted activity in January 2025. The infrastructure behind these attacks primarily originates from commercial hosting providers instead of botnets formed by compromised consumer devices. An analysis revealed that a substantial 75% of scans came from just 20 Autonomous System Numbers (ASNs), mainly from hosting providers. This pattern underscores attackers’ preference for greater bandwidth and stability provided by commercial services, as seen with Lithuania-based UAB Host Baltic, which accounted for nearly 20% of observed traffic from a mere 62 IP addresses.
A New Breed of Attacks
The emergence of these sophisticated vulnerability scanning attacks marks a significant shift in the cybersecurity landscape. Unlike previous threats that predominantly relied on botnets from compromised consumer devices, these new attacks leverage commercial hosting providers for their infrastructure. This shift complicates mitigation efforts due to the greater bandwidth and stability these services provide to attackers. Hosting providers are becoming unwitting accomplices, providing the necessary resources for attackers to launch extensive vulnerability scans with unprecedented efficiency. Some hosting providers have begun to address these malicious activities, but considerable efforts are still required to stem the tide and mitigate the growing threat.
IoT devices and consumer-grade routers have become prime targets for these scanning attacks, with a substantial portion of CVE-related traffic directed towards them. The focus on command injection vulnerabilities is particularly concerning, as these flaws allow attackers to execute arbitrary commands on the device, potentially gaining control or disrupting its functionality. The rising activity targeting CVE-2024-3721, impacting TBK DVR models, in January 2025 exemplifies this trend. The consequences of such vulnerabilities can be severe, affecting home users and businesses alike. Protecting these devices is thus paramount, as they form an integral part of the modern digital ecosystem.
The Road Ahead for Cybersecurity
The digital landscape faces a significant rise in vulnerability scanning attacks on internet-connected devices, raising concerns for cybersecurity experts and users alike. As reported by F5 Labs’ February 2025 Sensor Intel Series, vulnerability scanning activities surged by a staggering 91% in 2024 compared to the previous year. This marks the largest year-over-year increase in recent history. The spike suggests a range of vulnerabilities and attack vectors are being targeted.
Initially, it appeared that heavy scanning of the CVE-2023-1389 TP-Link Archer AX21 router vulnerability was skewing results. However, even after isolating this case, the overall attack volume remained alarmingly high. Consumer-grade routers and IoT devices are particularly at risk, comprising 42% of identified CVE-related traffic. Command injection vulnerabilities, such as CVE-2024-3721 affecting TBK DVR models, have seen increased activity since January 2025.
Most attacks are traced to commercial hosting providers rather than compromised consumer devices. An analysis found 75% of scans originated from just 20 ASNs, showing attackers’ preference for the bandwidth and stability of commercial services like Lithuania-based UAB Host Baltic, which was responsible for nearly 20% of observed traffic from just 62 IP addresses.
