Trouble on the edge: Resurgent vulnerabilities & edge devices

Resurgent vulnerabilities pose an unorthodox threat to cyber defense, complicating how defenders patch vulnerabilities and detect emerging threats. These vulnerabilities, which can resurface after extended periods of inactivity, are more than just a technical challenge; they are a strategic weakness actively exploited by opportunistic attackers from every corner of the internet.

Recent research from GreyNoise Intelligence indicates that resurgent vulnerabilities disproportionately impact edge technologies - entry points into networks that, when compromised, can lead to significant disruption, exposure of sensitive information, and adversarial persistence in vital systems.

Four Types of Vulnerabilities: A Behavioural Taxonomy

GreyNoise analyzed a dataset of known exploited vulnerabilities (KEVs) in internet-exposed systems published between 2010 and 2020, and determined there are four main categories, each exhibiting a unique set of characteristics:

1. Eternal (non-resurgent) vulnerabilities are characterized by consistent, ongoing exploitation with little fluctuation over time, and are continuously targeted by many IPs, showing persistent activity throughout the observed period. Eternal vulnerabilities often experience near-instantaneous targeting once the system becomes exposed to the internet, with a barrage of IP addresses and little to no dormancy in activity over time. Consequently, organizations tend to prioritize defenses around them. Example:  CVE-2017-5638 (Apache Struts Remote Code Execution).  This vulnerability gained global attention when it was exploited in the Equifax breach, impacting millions of individuals. Eight years later, GreyNoise continues to observe opportunistic activity against this vulnerability.
2. Utility (resurgent) vulnerabilities are regularly exploited, but not constantly, reflecting ongoing relevance with occasional lulls.  Defenders might deprioritize them during quiet periods, leaving gaps when activity surges again.  Example:  CVE-2020-5902 (F5 BIG-IP TMUI RCE).  This vulnerability experiences frequent exploitation, with few periods of inactivity. The flaw was targeted quickly after disclosure, but now exhibits resurgent behavior, presenting a dual challenge for defenders tasked with effectively prioritizing remediation efforts.
3. Periodic (resurgent) vulnerabilities have recurring patterns of exploitation. They are targeted in bursts, with clear but unpredictable intervals between each spike, indicating cyclical or campaign-driven exploitation. Their irregular but recurring nature makes it challenging to predict the next wave, leading to potential complacency during inactive periods.  Example:  CVE-2019-3396 (Atlassian Confluence Template Injection).  Following a periodic pattern, GreyNoise continues to observe opportunistic activity against the flaw - ebbing and flowing in an unpredictable fashion that makes it difficult to prioritize.
4. Black Swan (resurgent) vulnerabilities are mostly dormant, showing little to no activity for extended periods. However, they occasionally resurface with brief, sporadic exploitation, making their occurrence inordinately unpredictable.  Their sudden and unexpected resurgence can catch defenders off guard, as these vulnerabilities often appear irrelevant until they become active again.  Example: CVE-2018-0171 (Cisco IOS XE Remote Code Execution).  This edge flaw exemplifies the Black Swan pattern. GreyNoise observes sporadic attacker interest in CVE-2018-0171 - typically dormant, then suddenly reappearing.

The Edge Connection

Resurgent vulnerabilities clearly present distinct threats to digital infrastructure - and one of the key takeaways from this research lies in their close relationship with edge technologies, the very systems threat actors are increasingly using to gain deep and persistent access to networks and data.

GreyNoise's analysis revealed that resurgent vulnerabilities disproportionately affect edge technologies. Over 50% of the most exploited resurgent flaws - and nearly 70% of the most unpredictable vulnerabilities (Black Swan) - affect edge technologies. This pattern demonstrates the urgent need for proactive mitigation strategies, as the exploitation of resurgent vulnerabilities directly threatens organizational security.

Edge Black Swans combine an unorthodox behavior (resurgence) with a technology type increasingly targeted by both opportunistic and advanced state actors.

According to the 2025 Verizon Data Breach Investigations Report (DBIR), the exploitation of edge KEVs begins immediately, with the median time from disclosure to mass exploitation at zero days, in comparison with five days for all KEVs. Another striking finding - edge vulnerabilities were used in 22% of breaches involving vulnerability exploitation, an eightfold increase from 3% last year. 

Consequently, defenders are starting to prioritize edge vulnerabilities faster and more frequently - 54% of edge KEVs were remediated (in comparison to 38% of all KEVS), with a median time of 32 days (in comparison to 38 days for all KEVs). Nevertheless, nearly one in three edge KEVs are left fully remediated, representing the highest rate of non-remediation among CVEs and KEVs tracked by the DBIR.

Tips for Security Professionals

The following recommendations outline four essential steps security professionals should take to strengthen our defense against the resurgence phenomenon, particularly with respect to edge technologies:

1. Enhance Real-Time Visibility into Edge Exploitation.  With edge technologies becoming prime targets for opportunistic attackers, it is crucial to maintain visibility into real-time exploitation patterns. Incorporate threat intelligence solutions that provide real-time notice of resurgent activity, with accompanying metadata needed for proactive defense.
2. Dynamically Block Threat IPs.  Resurgence means attacker interest ebbs and flows, leaving static blocklists useless when new threat IPs begin re-exploiting a given flaw. Defenders must leverage dynamic blocklists grounded in primary-sourced data to effectively and accurately block threats without disrupting business operations.
3. Strengthen Incident Response for Resurgent Threats.  To account for the unpredictable nature of resurgent exploitation, build incident response protocols specifically for vulnerabilities in edge systems. Leverage real-time data from tools for faster detection and response when previously dormant vulnerabilities resurface.
4. Leverage Real-Time Intelligence to Inform Patching Decisions. Rather than relying too heavily on severity scores, integrate intelligence that highlights current exploitation activity into your patching cadences. This approach ensures that patch prioritization is based on real-world data, helping defenders stay ahead of resurgent threats - particularly those affecting edge technologies.
    

Now is the time to confront the evolving threat landscape with decisive and informed action, securing organizational security with improved defensive measures and policy actions.

By understanding how and why resurgent vulnerabilities are exploited, we can build a more resilient cyber defense strategy - one that proactively addresses not just the known risks but also the unexpected.