Threat Intelligence Firm Greynoise revealed on Friday that a surge in scansing activities targeting Palo Alto Networks Login Portals has been observed.
The company said it observed on October 3, 2025 that a nearly 500% increase in IP addresses scanning the Palo Alto Networks login portal was the highest recorded level in the last three months. It describes traffic as targeted and structured and aims primarily to the Palo Alto login portal.
As many as 1,300 unique IP addresses have participated in this effort, a major jump from around 200 unique IP addresses previously observed. Of these IP addresses, 93% are classified as suspicious and 7% are malicious.
The majority of IP addresses are immersed in the US and smaller clusters have been detected in the UK, Netherlands, Canada and Russia.
“This Palo Alto Surge shares features with Cisco ASA scans that have occurred over the past 48 hours,” says Greynoise. “In both cases, the scanner showed overlapping regional clustering and fingerprints with the tools used.”
“The login scan traffic from both Cisco Asa and Palo Alto over the past 48 hours shares the dominant TLS fingerprint tied to Dutch infrastructure.”
In April 2025, Greynoise reported similar suspicious login scan activity targeting Palo Alto Networks Pan-OS Global-Protect Gateways, urging network security companies to urge customers to run the latest version of their software.
This development will often be followed by a surge in malicious scans, brute enhancements or exploit attempts, as Greynoise noted in its early warning signal report in July 2025, with disclosures of new CVEs affecting the same technology within six weeks.
In early September, Greynoise warned of a suspicious scan that occurred in late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first waves came from over 25,100 IP addresses, mainly in Argentina and Brazil, the United States.
A few weeks later, Cisco disclosed two new zero-days in the CISCO ASA (CVE-2025-20333 and CVE-2025-20362) that were exploited in real-world attacks to deploy malware families such as Reynatiators and Line Vipers.
Shadowserver Foundation data shows that over 45,000 Cisco ASA/FTD instances have over 20,000 people in the US and approximately 14,000 people in Europe, making them susceptible to two vulnerabilities.
Source link
