Find notable cyber news and cases, enriched with sources, timelines, and signals.

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 2 articles

Summary

Hide ▲

A credential-based campaign is hitting Palo Alto GlobalProtect portals and SonicWall SonicOS API endpoints, creating broad reconnaissance risk across remote-access and firewall-management surfaces. The activity began on December 2 and involved more than 7,000 source IPs from infrastructure operated by 3xK GmbH. Related probing generated over 9 million non-spoofable HTTP sessions, and the same fingerprints were also seen in mid-November and on December 3. Palo Alto Networks said the traffic reflects credential-based attacks rather than a software exploit, and defenders were urged to enforce MFA and monitor repeated login failures.

Related Happenings

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)

Vulnerability
H score50 First: 21.05.2026 00:19 Last: 21.05.2026 00:19 Sources 1

About this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...

PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)

Vulnerability
H score67 First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

About this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Trend
H score34 First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Trend
H score30 First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Timeline

  1. 06.12.2025 17:18 1 articles · 7mo ago

    Campaign begins with GlobalProtect login attempts

    Initial Disclosure

    Palo Alto GlobalProtect portals were targeted on December 2, 2025 with bruteforce and login attempts from more than 7,000 IP addresses tied to infrastructure operated by 3xK GmbH, a German hosting provider with AS200373.

    Show sources
  2. 06.12.2025 17:18 3 articles · 7mo ago

    December 3 SonicOS API scanning extends the campaign

    Campaign Scope Update

    On December 3, 2025 the same three client fingerprints were seen in scanning activity targeting SonicWall SonicOS API endpoints, extending the activity from GlobalProtect login attempts into reconnaissance of firewall management and monitoring interfaces.

    Show sources
  3. 06.12.2025 17:18 1 articles · 7mo ago

    Palo Alto Networks confirms credential-based attacks and recommends MFA

    Technical Analysis Update

    Palo Alto Networks said it detected increased scanning aimed at GlobalProtect interfaces, described the activity as credential-based attacks rather than an exploit of a software vulnerability, said internal telemetry and Cortex XSIAM protection did not indicate compromise of its products or services, and recommended Multi-Factor Authentication (MFA) to reduce credential abuse.

    Show sources