Palo Alto Networks has recently identified a series of brute-force login attempts targeting its PAN-OS GlobalProtect gateways. This discovery follows reports from threat intelligence firm GreyNoise, which observed a significant increase in suspicious login scanning activities directed at these appliances.
A company spokesperson stated, Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability. They further emphasized their commitment to monitoring the situation and analyzing the reported activities to assess potential impacts and determine necessary mitigations.
GreyNoise’s analysis revealed that the surge in login scanning activity began on March 17, 2025, reaching a peak of 23,958 unique IP addresses before declining towards the end of the month. This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems. The primary targets of these scanning activities have been systems located in the United States, the United Kingdom, Ireland, Russia, and Singapore.
While the exact scope of these efforts and the identities of the threat actors involved remain unclear, Palo Alto Networks is actively investigating the situation. In the meantime, the company advises all customers to ensure they are running the latest versions of PAN-OS. Additional recommended mitigations include enforcing multi-factor authentication (MFA), configuring GlobalProtect to facilitate MFA notifications, setting up security policies to detect and block brute-force attacks, and limiting unnecessary exposure to the internet.
This incident underscores the importance of robust security measures and proactive monitoring to defend against evolving cyber threats.
