Not long ago, security researchers observed an alarming spike in scans targeting Palo Alto Networks login portals -- particularly GlobalProtect and PAN-OS.
These are not random scans by any means. These hackers are conducting scans to find vulnerable or exploitable systems for a future attack.
According to GreyNoise (a cybersecurity firm), the amount of scanning for these portals has surged by 500%! About 200 scans is typical per day -- but on October 3 there were 1,285 unique IP addresses scanning.
Although most of the scans were from the U.S., there were scans originating from the U.K., Netherlands, Canada, Russia and Pakistan.
To make matters worse, 91% of the scanning IPs were flagged as suspicious, with 7% of those IPs being classified as malicious.
So for all intents and purposes, this is serious.
GreyNoise thinks that this kind of scanning typically occurs just before hackers attempt to use a zero-day (a new, non-public security vulnerability) or an n-day (a known vulnerability that remains exploitable).
Earlier this year, we observed another phenomenon of large scale scanning - over 24,000 unique IP addresses engaged in scanning GlobalProtect portals.
Those scanning events led to an attack in March that lasted multiple days.
So, seeing this new wave of scanning may indicate that something larger will happen soon. There are acknowledged vulnerabilities
Palo Alto has already made news with a serious product vulnerability, CVE-2025-0108, which left users exposed to this bug, which was an authentication bypass. In short, it was easy to do — if the admin front-end was accessible to the outside world, an attacker could just bypass the login to gain access to any system. This is exactly why scans like this are so alarming. This is a tool a hacker can use to find a new route in using the same vector.
a. Upgrade your software — To the latest PAN-OS or GlobalProtect version for your device
b. Hide your login page — Only allow login page access from a single internal or trusted IP
c. Review your logs — Look for possible signins from unknown IP
d. Block known bad IP — A threat intel service like GreyNoise will help identify known malicious IP addresses
e. Layer additional security on authentication — Examples of layered authentication methods include multifactor authentication and long strong passwords.
This may seem like a small step now, but it may be the difference between a large compromise later on.
If you're responsible for firewalls or VPNs, do not wait. Patch, protect, and monitor - today's scans could very well be tomorrow's attack.
These are not random scans by any means. These hackers are conducting scans to find vulnerable or exploitable systems for a future attack.
According to GreyNoise (a cybersecurity firm), the amount of scanning for these portals has surged by 500%! About 200 scans is typical per day -- but on October 3 there were 1,285 unique IP addresses scanning.
Although most of the scans were from the U.S., there were scans originating from the U.K., Netherlands, Canada, Russia and Pakistan.
To make matters worse, 91% of the scanning IPs were flagged as suspicious, with 7% of those IPs being classified as malicious.
So for all intents and purposes, this is serious.
Why it matters
- Attackers pre-test before attacking
- The trend we've seen is that hackers typically scan before they attack.
- These attackers scan to see what systems are online, what version of software is running, and if there are any known vulnerabilities.
GreyNoise thinks that this kind of scanning typically occurs just before hackers attempt to use a zero-day (a new, non-public security vulnerability) or an n-day (a known vulnerability that remains exploitable).
Earlier this year, we observed another phenomenon of large scale scanning - over 24,000 unique IP addresses engaged in scanning GlobalProtect portals.
Those scanning events led to an attack in March that lasted multiple days.
So, seeing this new wave of scanning may indicate that something larger will happen soon. There are acknowledged vulnerabilities
Palo Alto has already made news with a serious product vulnerability, CVE-2025-0108, which left users exposed to this bug, which was an authentication bypass. In short, it was easy to do — if the admin front-end was accessible to the outside world, an attacker could just bypass the login to gain access to any system. This is exactly why scans like this are so alarming. This is a tool a hacker can use to find a new route in using the same vector.
What to do now?
In light of the news if you and your organization have any Palo Alto firewalls or VPN, take the following action steps as soon as possible:a. Upgrade your software — To the latest PAN-OS or GlobalProtect version for your device
b. Hide your login page — Only allow login page access from a single internal or trusted IP
c. Review your logs — Look for possible signins from unknown IP
d. Block known bad IP — A threat intel service like GreyNoise will help identify known malicious IP addresses
e. Layer additional security on authentication — Examples of layered authentication methods include multifactor authentication and long strong passwords.
This may seem like a small step now, but it may be the difference between a large compromise later on.
Conclusion
This enormous number of scans is not an innocent background noise - it is a warning. Hackers seem to be looking at Palo Alto systems and may even be readying for an attack.If you're responsible for firewalls or VPNs, do not wait. Patch, protect, and monitor - today's scans could very well be tomorrow's attack.
