Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign
Campaign
Summary
Hide ▲
Show ▼
A credential-based campaign is hitting Palo Alto GlobalProtect portals and SonicWall SonicOS API endpoints, creating broad reconnaissance risk across remote-access and firewall-management surfaces. The activity began on December 2 and involved more than 7,000 source IPs from infrastructure operated by 3xK GmbH. Related probing generated over 9 million non-spoofable HTTP sessions, and the same fingerprints were also seen in mid-November and on December 3. Palo Alto Networks said the traffic reflects credential-based attacks rather than a software exploit, and defenders were urged to enforce MFA and monitor repeated login failures.
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)
Vulnerability
First: 06.05.2026 07:46
Last: 06.05.2026 07:46
Sources 1
About this happening:
A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...
PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)
VulnerabilityAbout this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Target Trend
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Target TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target Trend
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
Publicly exposed training apps as recurring cloud-entry risk across security vendors
Target TrendAbout this happening: **Cybersecurity training apps** left exposed on the public Internet are creating a recurring **cloud-entry risk** for **security vendors and enterprise users**. A scan identified...
Timeline
-
06.12.2025 17:18 1 articles · 5mo ago
Campaign begins with GlobalProtect login attempts
Initial DisclosurePalo Alto GlobalProtect portals were targeted on December 2, 2025 with bruteforce and login attempts from more than 7,000 IP addresses tied to infrastructure operated by 3xK GmbH, a German hosting provider with AS200373.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
-
06.12.2025 17:18 3 articles · 5mo ago
December 3 SonicOS API scanning extends the campaign
Campaign Scope UpdateOn December 3, 2025 the same three client fingerprints were seen in scanning activity targeting SonicWall SonicOS API endpoints, extending the activity from GlobalProtect login attempts into reconnaissance of firewall management and monitoring interfaces.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18
- New password spraying attacks target Cisco, PAN VPN gateways — www.bleepingcomputer.com — 18.12.2025 19:27
-
06.12.2025 17:18 1 articles · 5mo ago
Palo Alto Networks confirms credential-based attacks and recommends MFA
Technical Analysis UpdatePalo Alto Networks said it detected increased scanning aimed at GlobalProtect interfaces, described the activity as credential-based attacks rather than an exploit of a software vulnerability, said internal telemetry and Cortex XSIAM protection did not indicate compromise of its products or services, and recommended Multi-Factor Authentication (MFA) to reduce credential abuse.
Show sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portals — www.bleepingcomputer.com — 06.12.2025 17:18