Menace intelligence agency GreyNoise disclosed on Friday that it has noticed a large spike in scanning exercise focusing on Palo Alto Networks login portals.
The corporate stated it noticed an almost 500% enhance in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the very best degree recorded within the final three months. It described the site visitors as focused and structured, and aimed primarily at Palo Alto login portals.
As many as 1,300 distinctive IP addresses have participated within the effort, a major soar from round 200 distinctive IP addresses noticed earlier than. Of those IP addresses, 93% are categorised as suspicious and seven% as malicious.
The overwhelming majority of the IP addresses are geolocated to the U.S., with smaller clusters detected within the U.Okay., the Netherlands, Canada, and Russia.
“This Palo Alto surge shares traits with Cisco ASA scanning occurring prior to now 48 hours,” GreyNoise famous. “In each circumstances, the scanners exhibited regional clustering and fingerprinting overlap within the tooling used.”
“Each Cisco ASA and Palo Alto login scanning site visitors prior to now 48 hours share a dominant TLS fingerprint tied to infrastructure within the Netherlands.”
When reached for remark relating to the spike in exercise, a spokesperson for the corporate stated there aren’t any indicators of compromise.
“The safety of our clients is at all times our high precedence,” Palo Alto Networks stated. “We now have investigated the reported scanning exercise and located no proof of a compromise.”
“Palo Alto Networks is protected by our personal Cortex XSIAM platform, which stops 1.5 million new assaults every day and autonomously reduces 36 billion safety occasions into probably the most important threats to make sure our infrastructure stays safe. We stay assured in our strong safety posture and our capability to guard our community.”
In April 2025, GreyNoise reported the same suspicious login scanning exercise focusing on Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the community safety firm to induce clients to make sure that they’re operating the newest variations of the software program.
The event comes as GreyNoise famous in its Early Warning Indicators report again in July 2025 that surges in malicious scanning, brute-forcing, or exploit makes an attempt are sometimes adopted by the disclosure of a brand new CVE affecting the identical expertise inside six weeks.
In early September, GreyNoise warned about suspicious scans that occurred as early as late August, focusing on Cisco Adaptive Safety Equipment (ASA) gadgets. The primary wave originated from over 25,100 IP addresses, primarily positioned in Brazil, Argentina, and the U.S.
Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world assaults to deploy malware households like RayInitiator and LINE VIPER.
Knowledge from the Shadowserver Basis reveals that over 45,000 Cisco ASA/FTD cases, out of which greater than 20,000 are positioned within the U.S. and about 14,000 are positioned in Europe, are nonetheless inclined to the 2 vulnerabilities.
(The story was up to date after publication to incorporate a response from Palo Alto Networks.)
