Risk intelligence agency GreyNoise disclosed on Friday that it has noticed an enormous spike in scanning exercise focusing on Palo Alto Networks login portals.
The corporate stated it noticed an almost 500% improve in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the best degree recorded within the final three months. It described the visitors as focused and structured, and aimed primarily at Palo Alto login portals.
As many as 1,300 distinctive IP addresses have participated within the effort, a major leap from round 200 distinctive IP addresses noticed earlier than. Of those IP addresses, 93% are labeled as suspicious and seven% as malicious.
The overwhelming majority of the IP addresses are geolocated to the U.S., with smaller clusters detected within the U.Okay., the Netherlands, Canada, and Russia.
“This Palo Alto surge shares traits with Cisco ASA scanning occurring up to now 48 hours,” GreyNoise famous. “In each instances, the scanners exhibited regional clustering and fingerprinting overlap within the tooling used.”
“Each Cisco ASA and Palo Alto login scanning visitors up to now 48 hours share a dominant TLS fingerprint tied to infrastructure within the Netherlands.”
When reached for remark concerning the spike in exercise, a spokesperson for the corporate stated there aren’t any indicators of compromise.
“The safety of our clients is all the time our high precedence,” Palo Alto Networks stated. “We have now investigated the reported scanning exercise and located no proof of a compromise.”
“Palo Alto Networks is protected by our personal Cortex XSIAM platform, which stops 1.5 million new assaults day by day and autonomously reduces 36 billion safety occasions into probably the most vital threats to make sure our infrastructure stays safe. We stay assured in our strong safety posture and our skill to guard our community.”
In April 2025, GreyNoise reported an identical suspicious login scanning exercise focusing on Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the community safety firm to induce clients to make sure that they’re working the newest variations of the software program.
The event comes as GreyNoise famous in its Early Warning Alerts report again in July 2025 that surges in malicious scanning, brute-forcing, or exploit makes an attempt are sometimes adopted by the disclosure of a brand new CVE affecting the identical expertise inside six weeks.
In early September, GreyNoise warned about suspicious scans that occurred as early as late August, focusing on Cisco Adaptive Safety Equipment (ASA) units. The primary wave originated from over 25,100 IP addresses, primarily positioned in Brazil, Argentina, and the U.S.
Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world assaults to deploy malware households like RayInitiator and LINE VIPER.
Knowledge from the Shadowserver Basis reveals that over 45,000 Cisco ASA/FTD situations, out of which greater than 20,000 are positioned within the U.S. and about 14,000 are positioned in Europe, are nonetheless prone to the 2 vulnerabilities.
(The story was up to date after publication to incorporate a response from Palo Alto Networks.)
