GlobalProtect VPN Portals Probed With 2.3 Million Scan Sessions
Summary:
A surge in scanning activity was identified by GreyNoise targeting Palo Alto Networks GlobalProtect portals, with attack traffic increasing by 40 times within 24 hours on November 14, 2025, marking a new 90-day high. Since November 14, the security firm has observed 2.3 million login attempts against the /global-protect/login.esp URI of Palo Alto PAN-OS and Palo Alto GlobalProtect.
The scans have been mainly aimed at the United States, Mexico, and Pakistan, each receiving nearly equivalent volumes of login attempts.
GreyNoise identified AS200373 (3xK Tech GmbH) as the primary ASN used in these attacks, with the remaining traffic sourced from AS208885 (Noyobzoda Faridduni Saidilhom).
“62% of all sessions originated from AS200373 geolocated to Germany, representing the majority and primary driver of the campaign. An additional 15% of traffic also originated from AS200373, but was geolocated to Canada, suggesting distributed hosting or exit infrastructure operating under the same ASN,” stated GreyNoise in its blog post.
Security Officer Comments:
The surge is linked to earlier related campaigns in October and April of this year. In October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS profiles. Furthermore, in April 2025, GreyNoise reported yet another spike in scanning activity targeting Palo Alto Networks GlobalProtect login portals, involving 24,000 IP addresses.
The security firm believes that the latest activity is likely driven by the same threat actor, based on recurring TCP/JA4t fingerprints, the reuse of the same ASNs, and aligned timing of activity spikes across campaigns.
Suggested Corrections:
According to GreyNoise, such scanning spikes typically indicate the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks' products. Organizations should ensure their GlobalProtect and PAN-OS instances are up to date to prevent potential exploitation of known vulnerabilities for initial access. Enforcing MFA for all logins can help safeguard against credential stuffing attacks. Furthermore, restricting access to the login portals via geo-blocking, wherein traffic is denied from certain regions, can limit scanning activity and prevent network compromise.
GreyNoise has provided the two JA4t fingerprints below, which capture all observed activity and can be used for continued detection and tracking:
https://www.bleepingcomputer.com/ne...portals-probed-with-23-million-scan-sessions/
A surge in scanning activity was identified by GreyNoise targeting Palo Alto Networks GlobalProtect portals, with attack traffic increasing by 40 times within 24 hours on November 14, 2025, marking a new 90-day high. Since November 14, the security firm has observed 2.3 million login attempts against the /global-protect/login.esp URI of Palo Alto PAN-OS and Palo Alto GlobalProtect.
The scans have been mainly aimed at the United States, Mexico, and Pakistan, each receiving nearly equivalent volumes of login attempts.
GreyNoise identified AS200373 (3xK Tech GmbH) as the primary ASN used in these attacks, with the remaining traffic sourced from AS208885 (Noyobzoda Faridduni Saidilhom).
“62% of all sessions originated from AS200373 geolocated to Germany, representing the majority and primary driver of the campaign. An additional 15% of traffic also originated from AS200373, but was geolocated to Canada, suggesting distributed hosting or exit infrastructure operating under the same ASN,” stated GreyNoise in its blog post.
Security Officer Comments:
The surge is linked to earlier related campaigns in October and April of this year. In October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS profiles. Furthermore, in April 2025, GreyNoise reported yet another spike in scanning activity targeting Palo Alto Networks GlobalProtect login portals, involving 24,000 IP addresses.
The security firm believes that the latest activity is likely driven by the same threat actor, based on recurring TCP/JA4t fingerprints, the reuse of the same ASNs, and aligned timing of activity spikes across campaigns.
Suggested Corrections:
According to GreyNoise, such scanning spikes typically indicate the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks' products. Organizations should ensure their GlobalProtect and PAN-OS instances are up to date to prevent potential exploitation of known vulnerabilities for initial access. Enforcing MFA for all logins can help safeguard against credential stuffing attacks. Furthermore, restricting access to the login portals via geo-blocking, wherein traffic is denied from certain regions, can limit scanning activity and prevent network compromise.
GreyNoise has provided the two JA4t fingerprints below, which capture all observed activity and can be used for continued detection and tracking:
- 65495_2-4-8-1-3_65495_7
- 33280_2-4-8-1-3_65495_7
https://www.bleepingcomputer.com/ne...portals-probed-with-23-million-scan-sessions/