Forty-Fold Spike in Probing Targets Palo Alto GlobalProtect Login Portals

GreyNoise has recorded a dramatic surge in automated requests targeting Palo Alto Networks’ GlobalProtect authentication portals. The scale of this spike is highly atypical: within just 24 hours, the volume of network sessions hitting */global-protect/login.esp grew fortyfold. Analysts view this escalation as a sign of a new coordinated campaign linked to operators who have previously shown interest in exploiting these VPN gateways.

The activity began rising on November 14 and, within only a few days, reached its highest point in three months. According to GreyNoise, the automated traffic largely originates from the IP ranges of Autonomous System AS200373 (3xK Tech GmbH), which accounts for 62% of all observed addresses, most of them located in Germany. Another 15% of the IPs are traced to Canada. A portion of the traffic is associated with AS208885 (Noyobzoda Faridduni Saidilhom), aligning with patterns seen in earlier waves of similar scans.

The mechanics of the requests indicate an attempt at large-scale probing of the availability and configuration of the GlobalProtect login interface, which users rely on to authenticate into protected Palo Alto Networks gateways. Between November 14 and 19, GreyNoise registered 2.3 million such sessions, distributed almost evenly across the United States, Mexico, and Pakistan. Based on the collected TCP/JA4t fingerprints and the repeated use of the same hosting providers, the campaign correlates with scanning events from April and October, during which the number of active scanning nodes first surged by 500% and later peaked at 24,000 hosts.

GreyNoise again underscores that these spikes are rarely the result of random automation errors. Far more often, they serve as a precursor to the discovery of a new security flaw. Their data shows that in 80% of cases, such activity precedes the publication of fresh vulnerabilities — a trend particularly pronounced for Palo Alto Networks products.

Over the past year, this product line has already been subject to confirmed exploitation. In February, attackers leveraged CVE-2025-0108, followed by a chained abuse of CVE-2025-0111 and CVE-2024-9474 to bypass protective mechanisms. Later in the year, the company disclosed a breach of internal support systems: the threat group ShinyHunters accessed customer data and support interactions as part of the Salesloft Drift incident.

Against this backdrop, the latest scan wave is viewed by analysts as a potential signal of an impending vulnerability disclosure — or an effort to identify exploitable configurations in advance for use in future attacks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy