Cybersecurity researchers have raised alarms about a significant surge in suspicious login scans targeting Palo Alto Networks’ PAN-OS GlobalProtect gateways. Over 24,000 unique IP addresses have been observed attempting to access these portals, indicating a potential coordinated effort to identify vulnerable systems. The scans began on March 17, 2025, and peaked at nearly 24,000 unique IPs before tapering off on March 26. GreyNoise, a threat intelligence firm, linked this activity to potential reconnaissance for upcoming exploitation, highlighting the importance of securing exposed systems.
The majority of these attacks originated from the United States and Canada, with significant traffic also coming from Finland, the Netherlands, and Russia. Although only a small subset of 154 IP addresses were flagged as malicious, the activity primarily targeted systems in the US, UK, Ireland, Russia, and Singapore. This broad distribution suggests that attackers are probing global defenses, likely preparing for future attacks that exploit existing vulnerabilities. Experts warn that such activity often precedes the discovery of new vulnerabilities, a pattern observed in previous years.
GreyNoise analysts also observed that similar suspicious activity has been targeting multiple technologies, including devices from F5, Ivanti, Linksys, and others. This increase in reconnaissance attempts suggests that threat actors are actively searching for weaknesses in various systems, potentially to exploit them once vulnerabilities are found. The company encourages organizations to remain vigilant and ensure their systems are up-to-date with the latest patches to protect against known risks.
In response to these findings, Palo Alto Networks has acknowledged the situation and emphasized that customer security remains a priority. They urge organizations to update their PAN-OS instances to the latest version and monitor network traffic for any anomalies. GreyNoise recommends that companies with exposed Palo Alto Networks systems conduct a thorough review of their logs from March and perform detailed threat hunts to detect any signs of compromise before the situation escalates.
