GreyNoise researchers have observed a dramatic surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals.
Over the last 30 days, almost 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.
The surge is said to have begun on March 17, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging two to four weeks later.”
The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on 26 March 2025 involving 2,580 unique source IPs.
The rearchers said the consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Entities using Palo Alto Networks products should take steps to secure their login portals.
This isn’t the first time Palo Alto has been in the hot seat recently. Towards the end of November last year, more than 2,000 PAN-OS firewalls were targeted following the disclosure and patching of two security vulnerabilities earlier in the month—one of which is classified as critical.
Vulnerabilities Happen Sooner or Later
All software can and will be prone to security vulnerabilities and attackers will be always interested in finding targets with exploitable known vulnerabilities, says Boris Cipot, Senior Security Engineer at Black Duck. “Palo Alto Networks PAN OS is case no exception in this case. All software will experience a vulnerability sooner or later, be it due to a programming mistake in the already complex software architecture, or due to a used OSS component where a researcher just identified a vulnerability.”
The bigger question, says Cipot, is how fast the affected software manufacturer will provide a solution for the vulnerability and how soon the affected software user will patch the issue. “PAN OS had some vulnerabilities identified and reported to customers. Most of the Palo Alto customers have probably updated their PAN OS systems and mitigated their vulnerabilities, however this does not mean that everyone has. Therefore, the attackers are likely trying to see who has missed the mark and “forgot” to do the necessary basic actions needed to keep their organization safe.”
Those basic actions (for any software) include applying security patches immediately to close vulnerabilities, and if no patch is available, following the manufacturer’s mitigation steps or restrict access to minimize risk.
Cipot also advises to limit management interface access to trusted internal addresses to reduce unauthorized entry, use monitoring tools to review system logs for suspicious activity, and conduct regular security audits to strengthen your security posture and address potential risks. Finally, leverage Software Composition Analysis (SCA) tools to track open-source components and detect vulnerabilities early.
Commitment to Gaining Unauthorized Access
The recent increase in suspicious login scanning aimed at Palo Alto Networks PAN-OS GlobalProtect gateways illustrates the ongoing threat from attackers looking to exploit vulnerabilities in network security devices, adds Eric Schwake, Director of Cybersecurity Strategy at Salt Security.
“This persistent activity, involving nearly 24,000 distinct IP addresses, highlights the attackers’ commitment to gaining unauthorized access. Security teams need to understand that while perimeter defenses are important, they are not invulnerable. Consequently, organizations should adopt a multi-layered security strategy that goes beyond conventional perimeter controls. This means closely monitoring API traffic, as these gateways often expose APIs for management and authentication. It is vital to govern API security posture to ensure these interfaces are securely configured, with robust authentication and authorization measures in place,” Schwake adds.
Additionally, Schwake says behavioral threat protection can help detect and prevent anomalous login attempts and other malicious behaviors targeting APIs. “Ongoing monitoring and threat intelligence are imperative for real-time detection and response to these threats. Security teams should also enhance user training and enforce multi-factor authentication to lower the risk of credential theft.”
A Concerning Pattern
J Stephen Kowski, Field CTO at SlashNext, adds that this latest campaign follows a concerning pattern we’ve seen before – intensive reconnaissance preceding the discovery of new vulnerabilities. “Organizations should immediately implement strict access controls for management interfaces, enforce strong authentication policies, and consider implementing real-time threat detection that can identify and block suspicious login attempts from known malicious IPs. Advanced threat intelligence that continuously monitors for these coordinated scanning campaigns can provide early warning before vulnerabilities are publicly disclosed, giving security teams precious time to harden defenses against the inevitable exploitation attempts that follow.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.