Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
Campaign
Summary
Hide ▲
Show ▼
A credential-based campaign is hitting Palo Alto GlobalProtect portals and SonicWall SonicOS API endpoints, creating broad reconnaissance risk across remote-access and firewall-management surfaces. The activity began on December 2 and involved more than 7,000 source IPs from infrastructure operated by 3xK GmbH. Related probing generated over 9 million non-spoofable HTTP sessions, and the same fingerprints were also seen in mid-November and on December 3. Palo Alto Networks said the traffic reflects credential-based attacks rather than a software exploit, and defenders were urged to enforce MFA and monitor repeated login failures.
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
H score50
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)
Vulnerability
H score67
First: 06.05.2026 07:46
Last: 06.05.2026 07:46
Sources 1
About this happening:
A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...
PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)
VulnerabilityAbout this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Trend
H score34
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Timeline
-
06.12.2025 17:18 1 articles · 7mo ago
Campaign begins with GlobalProtect login attempts
Initial DisclosurePalo Alto GlobalProtect portals were targeted on December 2, 2025 with bruteforce and login attempts from more than 7,000 IP addresses tied to infrastructure operated by 3xK GmbH, a German hosting provider with AS200373.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
-
06.12.2025 17:18 3 articles · 7mo ago
December 3 SonicOS API scanning extends the campaign
Campaign Scope UpdateOn December 3, 2025 the same three client fingerprints were seen in scanning activity targeting SonicWall SonicOS API endpoints, extending the activity from GlobalProtect login attempts into reconnaissance of firewall management and monitoring interfaces.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
- New password spraying attacks target Cisco, PAN VPN gateways — www.bleepingcomputer.com — 18.12.2025 19:27
-
06.12.2025 17:18 1 articles · 7mo ago
Palo Alto Networks confirms credential-based attacks and recommends MFA
Technical Analysis UpdatePalo Alto Networks said it detected increased scanning aimed at GlobalProtect interfaces, described the activity as credential-based attacks rather than an exploit of a software vulnerability, said internal telemetry and Cortex XSIAM protection did not indicate compromise of its products or services, and recommended Multi-Factor Authentication (MFA) to reduce credential abuse.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18