CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Scanning for PAN-OS GlobalProtect Vulnerability

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Timeline

  1. 02.10.2025 14:30 1 articles · 6d ago

    Increased Scanning for PAN-OS GlobalProtect Vulnerability

    SANS Internet Storm Center observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Scanning Activity on Palo Alto Networks Login Portals

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. The scans are likely part of a broader pattern of increased malicious activity targeting network security appliances. Palo Alto Networks customers are advised to ensure they are running the latest software versions. Additionally, an increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. GreyNoise will continue monitoring the activity in case it precedes a new Palo Alto vulnerability disclosure. Security products remain a popular target for threat actors, with recent increases in attacks from the Akira ransomware group aimed at SonicWall SSL VPN appliances. AI is being used by cyber-threat actors to enhance existing tactics, techniques, and procedures (TTPs) in victim reconnaissance, vulnerability research, and exploit development.

Open in new tab