In mid-March 2025, cybersecurity researchers identified a significant surge in login scanning activities targeting Palo Alto Networks’ PAN-OS GlobalProtect gateways. This coordinated effort involved nearly 24,000 unique IP addresses attempting to access these portals, raising concerns about potential preparatory actions for future cyberattacks.
The activity commenced on March 17, 2025, with daily attempts nearing 20,000 unique IP addresses. This pattern persisted until March 26, when the numbers began to decline. At its peak, approximately 23,958 unique IP addresses were involved. Notably, only 154 of these addresses have been flagged as malicious, suggesting that the majority may be part of a broader reconnaissance operation.
Geographical analysis indicates that the United States and Canada were the primary sources of this traffic, followed by Finland, the Netherlands, and Russia. The targeted systems were predominantly located in the United States, the United Kingdom, Ireland, Russia, and Singapore. This widespread distribution underscores the global nature of the scanning campaign.
While the exact motives behind this surge remain unclear, the pattern suggests a systematic approach to probing network defenses. Such activities often precede targeted exploitation, as attackers identify and catalog vulnerable systems for future attacks. Bob Rudis, Vice President of Data Science at GreyNoise, noted, Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies. These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.
This incident is part of a broader trend of increasing cyber threats targeting network infrastructure. In February 2025, Palo Alto Networks addressed a high-severity authentication bypass vulnerability in its PAN-OS software, identified as CVE-2025-0108. This flaw allowed unauthenticated attackers with network access to the management web interface to bypass authentication and invoke certain PHP scripts, potentially compromising the integrity and confidentiality of PAN-OS. The vulnerability affected multiple versions of PAN-OS, including 11.2, 11.1, 11.0, 10.2, and 10.1. Palo Alto Networks released patches to address this issue and recommended that customers restrict access to the management web interface to trusted internal IP addresses.
The recent scanning activity targeting GlobalProtect gateways may be an attempt to exploit such vulnerabilities. GreyNoise’s data indicates that exploitation attempts have originated from multiple unique IP addresses across various countries, including the United States, China, and Israel. This underscores the importance of promptly applying security updates and implementing best practices to secure network interfaces.
In response to these developments, Palo Alto Networks has urged customers to immediately apply the security updates released in February 2025 and to secure internet-facing instances to mitigate potential attacks. The company emphasized that securing external-facing management interfaces is a fundamental security best practice and strongly encouraged all organizations to review their configurations to minimize risk.
Organizations utilizing Palo Alto Networks’ PAN-OS GlobalProtect gateways should take proactive measures to secure their systems. This includes applying the latest security patches, restricting access to management interfaces, and monitoring for unusual login activities. By implementing these measures, organizations can enhance their defenses against potential cyber threats and safeguard their network infrastructure.
