Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GreyNoise sees 500% surge in scanning against Palo Alto Networks login portals

Target Trend
First reported
Last updated
Happening score
H score 49
2 unique sources, 3 articles

Summary

Hide ▲

GreyNoise says Palo Alto Networks GlobalProtect VPN login portals saw a 40x surge in malicious scanning beginning November 14, 2025, reaching a 90-day high within a week. Between November 14 and 19, it observed 2.3 million sessions to the */global-protect/login.esp* endpoint, and said the activity is likely related to prior campaigns because of TCP/JA4t fingerprints, ASN reuse, and aligned timing. The pattern matters because the login-portal probes are aimed at exposed PAN-OS and GlobalProtect authentication surfaces and have been linked by GreyNoise to recurring pre-exploitation reconnaissance.

Related Happenings

PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)

Vulnerability
First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

About this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...

Open Happening

Palo Alto Networks PAN-OS CVE-2026-0300 patch release

Security Patch Release
First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

About this happening: Palo Alto Networks is rolling out **patches** for **CVE-2026-0300**, a **critical PAN-OS zero-day** that has already been **exploited in the wild** against **PA and VM series fire...

Open Happening

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

Forest Blizzard DNS hijacking token-theft campaign against older routers

Campaign
First: 07.04.2026 20:02 Last: 07.04.2026 20:02 Sources 1

About this happening: Russia-backed **Forest Blizzard** is running a **DNS hijacking campaign** against older routers to steal **Microsoft Office** authentication tokens, putting accounts at risk acros...

Open Happening

2025 Rise in legitimate-access intrusions across enterprise sectors

Target Trend
First: 01.04.2026 17:05 Last: 01.04.2026 17:05 Sources 1

About this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...

Open Happening

Timeline

  1. 06.10.2025 13:00 4 articles · 7mo ago

    Palo Alto Networks login portal scanning surges to about 1,300 IPs

    Campaign Scope Update

    GreyNoise observed about 1,300 IP addresses targeting Palo Alto Networks Login Scanner portals on October 3, 2025, a 500% increase over the prior 90-day baseline of roughly 200 IPs. The activity was described as targeted and likely derived from public or attacker-originated scans, with most sources located in the US and smaller clusters in the UK, Netherlands, Canada, and Russia.

    Show sources
    Open in new tab
  2. 06.10.2025 13:00 1 articles · 7mo ago

    GreyNoise links Palo Alto login scanning to broader remote-access scanning

    Initial Disclosure

    GreyNoise said the Palo Alto Networks login scanning surge shared regional clustering and TLS fingerprint overlap with Cisco ASA scanning seen in the past 48 hours, and noted increased scanning of SonicWall, Ivanti, and Pulse Secure remote access services. The firm also said it would keep monitoring for any new Palo Alto disclosure while treating the activity as a targeted signal rather than proof of a single operator.

    Show sources
    Open in new tab