Massive Brute-Force Attacks Target Cisco and Palo Alto Networks VPN Gateways
In mid-December 2025, a coordinated brute-force campaign targeted enterprise VPN gateways, specifically focusing on Palo Alto Networks’ GlobalProtect portals and Cisco SSL VPN endpoints. Threat intelligence firm GreyNoise reported millions of automated login attempts during this period, highlighting the persistent risks to remote access infrastructure.
Palo Alto GlobalProtect Under Siege
On December 11, 2025, GreyNoise sensors detected a significant surge in activity, with over 1.7 million sessions directed at emulated GlobalProtect portals within a 16-hour window. This attack involved more than 10,000 unique IP addresses, primarily geolocated to the United States, Pakistan, and Mexico. Notably, the majority of these IPs originated from infrastructure hosted by Germany’s 3xK GmbH.
The attackers employed uniform request patterns, utilizing common username-password combinations and a Firefox user agent, which is atypical for automated attacks. This suggests a credential probing strategy aimed at identifying weak or exposed portals. The sharp increase in activity indicates a potential new inventory effort or the initiation of a broader campaign. Importantly, there is no evidence linking this surge to the exploitation of specific vulnerabilities; rather, it appears to be a large-scale password spraying attempt using extensive lists of stolen credentials.
Shift to Cisco SSL VPNs
Following the assault on Palo Alto’s GlobalProtect, the attackers shifted their focus to Cisco SSL VPNs on December 12, 2025. The number of unique attacking IPs targeting these VPNs spiked from under 200 to 1,273 in a single day, marking a significant anomaly. Most of this traffic was directed at GreyNoise’s facade sensors, indicating opportunistic scanning rather than targeted attacks.
The sessions targeting Cisco SSL VPNs shared the same TCP fingerprint and originated from the same 3xK IP space as the previous Palo Alto attacks. The predominant user agent was Windows NT 10.0, which is unusual for this provider’s past behavior. The request bodies followed standard SSL VPN login patterns, including CSRF tokens and credential fields, confirming that the attackers were employing automated credential stuffing techniques rather than exploiting specific vulnerabilities. This marks the first large-scale deployment against Cisco SSL VPNs by 3xK in 12 weeks.
Unified Attack Strategy
The overlapping fingerprints in TCP signatures, timing, and hosting infrastructure confirm that a unified actor or toolset is probing multiple VPN platforms. GreyNoise explicitly ruled out links to Cisco Talos’ UAT-9686 campaign against Secure Email products. The patterns observed echo prior surges flagged by GreyNoise, which often precede the disclosure of new vulnerabilities. However, in this instance, brute-force attacks dominate the strategy.
Recommendations for Enterprises
To mitigate the risks associated with these attacks, enterprises should implement the following measures:
– Enforce Multi-Factor Authentication (MFA): Adding an extra layer of security can significantly reduce the risk of unauthorized access, even if credentials are compromised.
– Use Strong, Unique Passwords: Encourage users to create complex passwords that are not easily guessable and are unique to each account.
– Conduct Routine Audits of VPN Logs: Regularly reviewing VPN logs can help identify anomalies and potential unauthorized access attempts.
GreyNoise recommends blocking the identified IPs associated with these attacks using platform-specific lists or free block templates for Palo Alto Login Scanner and Cisco SSL VPN Bruteforcer. Vendors like Palo Alto Networks urge customers to update to the latest PAN-OS versions to address recurring threats.
Conclusion
This coordinated brute-force campaign underscores the vulnerability of VPN gateways as prime targets for attackers seeking unauthorized access to enterprise networks. By implementing robust security measures and staying vigilant, organizations can better protect their remote access infrastructure from such persistent threats.
