Threat intelligence firm GreyNoise disclosed on Friday that it has observed a massive spike in scanning activity targeting Palo Alto Networks login portals.
The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.
As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.
The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia.
"This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours," GreyNoise noted. "In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used."
"Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands."
When reached for comment regarding the spike in activity, a spokesperson for the company said there are no signs of compromise.
"The security of our customers is always our top priority," Palo Alto Networks said. "We have investigated the reported scanning activity and found no evidence of a compromise."
"Palo Alto Networks is protected by our own Cortex XSIAM platform, which stops 1.5 million new attacks daily and autonomously reduces 36 billion security events into the most critical threats to ensure our infrastructure remains secure. We remain confident in our robust security posture and our ability to protect our network."
In April 2025, GreyNoise reported a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software.
The development comes as GreyNoise noted in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.
In early September, GreyNoise warned about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S.
Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like RayInitiator and LINE VIPER.
Data from the Shadowserver Foundation shows that over 45,000 Cisco ASA/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities.
Update
In a new update shared on October 7, 2025, GreyNoise said it has detected a further spike in scanning against Palo Alto Networks PAN-OS GlobalProtect login portals, with the activity originating from over 2,200 unique IP addresses.
The cybersecurity company said it has also "observed a sharp increase in the unique count of ASNs involved in scanning Palo login portals, suggesting an increase in the number of threat actors involved," adding "the pace of login attempts suggests elevated activity may be driven by a threat actor(s) iterating through a large dataset of credentials."
GreyNoise also said the elevated scanning activity targeting Cisco and Palo Alto Networks firewalls, along with brute-force attack attempts aimed at Fortinet SSL VPNs, originate from IPs on the same subnets, specifically from ASNs 3xK Tech GmbH (AS200373) and tzulo, Inc. (AS11878).
The company said the three campaigns are "at least partially" driven by the same threat actor due to shared TCP fingerprints, recurring subnets leveraged, and a coordinated surge in activity at similar times across each campaign.
(The story was updated after publication to include a response from Palo Alto Networks and additional insights from GreyNoise.)
