Researchers are tracking a significant surge in login scanning activity targeting Palo Alto Networks (PAN) firewalls. Network defenders are advised to check for signs of compromise.
GreyNoise, a security intelligence firm, has warned of a coordinated effort to probe PAN-OS GlobalProtect portals. This VPN solution enables secure remote access to networks protected by Palo Alto firewalls.
PAN firewalls are widely deployed across finance, healthcare, education, technology, and other major sectors.
Between March 17th and March 26th, 2025, up to 24,000 unique IP addresses per day were observed probing the firewalls.
“Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs),” GreyNoise said in a report.
“The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.”
It’s unclear what the attackers might be looking for. However, similar patterns were observed in the past, coinciding with zero-day flaws emerging 2-4 weeks later.
There are concerns that attackers might be paving the way for potential exploitation.
“Organizations using Palo Alto Networks products should take steps to secure their login portals,” GreyNoise warns.
The majority of targeted systems are in the US, and the scans mostly come from the US and Canada. However, attackers can easily proxy their traffic through any country.
The researchers compare this activity with a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos.
“While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access.”
They recommend that network defenders review March logs on exposed Palo Alto Networks systems.
“Consider performing a detailed threat hunt on running systems to identify any signs of compromise,” the report reads.
At the time of writing the suspicious probing has tapered off.
Other security researchers are also sharing their warnings.
“PAN-OS had some vulnerabilities identified and reported to customers. Most of the Palo Alto customers have probably updated their PAN-OS systems and mitigated their vulnerabilities. However, this does not mean that everyone has. Therefore, the attackers are likely trying to see who has missed the mark and “forgot” to do the necessary basic actions needed to keep their organization safe,” said Boris Cipot, Senior Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, a Palo Alto-based provider of API security, warns that the increase in suspicious scanning might be followed by attempts to gain unauthorized access.
“Organizations should immediately implement strict access controls for management interfaces, enforce strong authentication policies, and consider implementing real-time threat detection that can identify and block suspicious login attempts from known malicious IPs,” said J Stephen Kowski, Field CTO at SlashNext Email Security+.
“Advanced threat intelligence that continuously monitors for these coordinated scanning campaigns can provide early warning before vulnerabilities are publicly disclosed.”
Your email address will not be published. Required fields are markedmarked