A surge in reconnaissance against Palo Alto Networks GlobalProtect login portals peaked on October 7, 2025, with over 2,200 unique IPs involved, signaling broadening threat actor involvement and credential stuffing attempts.
GreyNoise has tracked an abrupt rise in scanners probing PAN-OS GlobalProtect login portals. Daily unique IPs rose from approximately 1,300 on October 3 to over 2,200 by October 7.
Simultaneously, the count of Autonomous System Numbers (ASNs) sourcing these scans jumped sharply, indicating a growing number of distinct operators.
Notably, about 12 percent of all subnets within ASN 11878 were actively scanning Palo Alto portals, underscoring concentrated abuse of specific network ranges.
Credential Stuffing Campaign
The rapid pace and scale of login attempts suggest the use of extensive credential lists, likely compiled from previous data breaches or illicit marketplaces.
GreyNoise’s supplemental dataset on GitHub provides defenders with observed usernames and passwords to aid in blocking malicious login attempts.
The structured nature of the traffic almost exclusively targeting GlobalProtect and PAN-OS login endpoints suggests purposeful reconnaissance rather than indiscriminate scanning.
Geolocation analysis shows 91 percent of scanning IPs located in the United States, with secondary clusters in the U.K., Netherlands, Canada, and Russia.
Two primary scanning clusters emerged over the past 48 hours: one focused on U.S. targets and the other on Pakistan, each employing distinct TCP fingerprints.
Additional smaller campaigns targeted sensors in Mexico, France, Australia, and the U.K., reflecting global reach.
GreyNoise observed parallels between this GlobalProtect surge and a recent Cisco ASA scanning event.
Both campaigns share a dominant TCP fingerprint emanating from infrastructure in the Netherlands and display regional clustering.
While a shared tooling or centralized management infrastructure is plausible, no definitive link between operators or intent has been confirmed.
The spike on October 3 marked the largest single-day probing event against GlobalProtect portals in three months.
Nearly all participating IPs first appeared within 48 hours of the surge, highlighting the use of ephemeral or on-demand scanning infrastructure.
Defenders should:
- Block or closely monitor IPs tagged by GreyNoise’s Palo Alto Networks Login Scanner.
- Implement rate limiting and multi-factor authentication to mitigate credential stuffing.
- Review login logs for unusual username/password combinations provided in GreyNoise’s supplemental list.
CVE Table
| CVE ID | Description | Affected Versions | CVSS 3.1 Score | Impact |
|---|---|---|---|---|
| CVE-2024-3400 | PAN-OS firewall device authentication bypass | PAN-OS 10.0.0 to 10.1.5 | 8.1 | Authentication bypass |
| CVE-2024-5921 | GlobalProtect Windows client improper validation | GlobalProtect 5.2.0 to 5.2.8 | 7.5 | Code execution |
| CVE-2024-29014 | SonicWall SMA1000 NetExtender Windows client overflow | NetExtender 10.2.0 to 10.2.5 (related remote access) | 8.6 | Remote code execution |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=GreyNoise has tracked an abrupt rise in scanners probing PAN-OS GlobalProtect login portals. Daily unique IPs rose from approximately 1,300 on October 3 to over 2,200 by October 7.){kind=link}