Cisco SSL VPN and GlobalProtect credential-probing campaign
Campaign
Summary
Hide ▲
Show ▼
A coordinated credential-based campaign is now probing Cisco SSL VPN and Palo Alto Networks GlobalProtect portals at scale, raising the risk of unauthorized access attempts across enterprise VPN infrastructure. The activity used common username and password combinations and was observed on December 11-12, 2025. More than 10,000 unique IPs were involved against GlobalProtect, while 1,273 IP addresses hit Cisco SSL VPN endpoints. The consistent timing and infrastructure suggest a single campaign pivoting across multiple VPN platforms.
Related Happenings
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
Vulnerability
H score47
First: 08.06.2026 16:05
Last: 08.06.2026 16:05
Sources 1
About this happening:
**Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
VulnerabilityAbout this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
First VPN Service as criminal VPN infrastructure for ransomware and fraud operators
Threat Actor Meta
H score18
First: 22.05.2026 20:35
Last: 22.05.2026 20:35
Sources 1
About this happening:
**First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...
First VPN Service as criminal VPN infrastructure for ransomware and fraud operators
Threat Actor MetaAbout this happening: **First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Timeline
-
18.12.2025 06:10 1 articles · 6mo ago
GlobalProtect portals probed with automated logins
Campaign Scope UpdateMore than 10,000 unique IPs attempted automated logins against exposed or weakly protected Palo Alto Networks GlobalProtect portals in the U.S., Pakistan, and Mexico using common username and password combinations.
Show sources
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances — thehackernews.com — 18.12.2025 06:10
-
18.12.2025 06:10 1 articles · 6mo ago
Cisco SSL VPN endpoints hit by brute-force attempts
Campaign Scope UpdateCisco SSL VPN endpoints saw a similar spike in opportunistic brute-force login attempts on 1,273 source IP addresses, with GreyNoise assessing the activity as large-scale scripted credential probing rather than vulnerability exploitation.
Show sources
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances — thehackernews.com — 18.12.2025 06:10
-
18.12.2025 06:10 2 articles · 6mo ago
GreyNoise discloses multi-platform VPN credential-probing campaign
Initial DisclosureGreyNoise disclosed a coordinated, automated credential-based campaign aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals, and said consistent infrastructure usage and timing indicated a single campaign pivoting across multiple VPN platforms.
Show sources
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances — thehackernews.com — 18.12.2025 06:10
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances — thehackernews.com — 18.12.2025 06:10