Surge in Suspicious Scanning Targets Palo Alto GlobalProtect Gateways
Cybersecurity researchers have detected a significant increase in login scanning activity aimed at Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting access.
Cybersecurity researchers have detected a significant increase in login scanning activity aimed at Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting access.
According to threat intelligence firm GreyNoise, the pattern indicates a coordinated effort to probe network defenses, likely as preparation for future exploitation. The activity began on March 17, 2025, peaking at 23,958 unique IP addresses per day before declining on March 26. Although most of the traffic appears to be reconnaissance, 154 IP addresses have been flagged as malicious.
Global Scanning Trends and Possible Threats
The highest volume of scanning activity originated from the U.S. and Canada, followed by Finland, the Netherlands, and Russia. The primary targets were systems in the U.S., U.K., Ireland, Russia, and Singapore.
While the exact motive remains unclear, researchers believe the activity is part of a systematic approach to testing network defenses, possibly leading to future attacks.
Industry-Wide Probing on the Rise
GreyNoise researchers have noted a pattern of attackers targeting older vulnerabilities and commonly used exploits, often preceding the discovery of new security flaws by 2 to 4 weeks. This raises concerns about a potential new wave of exploitation attempts in the near future.
Following the GlobalProtect scans, GreyNoise observed a similar spike in activity targeting other edge devices from vendors like F5, Ivanti, Linksys, SonicWall, Zoho ManageEngine, and Zyxel starting on March 28, 2025.
Palo Alto Networks Responds
Palo Alto Networks acknowledged the reported activity and assured customers that their security teams are actively monitoring the situation. The company urged all users to ensure their systems are running the latest version of PAN-OS and follow best security practices.
Mitigation and Defense Strategies
To protect against potential threats, organizations with internet-facing GlobalProtect instances should:
✔ Ensure all software is updated to the latest security patches.
✔ Monitor network traffic for unusual login attempts or anomalies.
✔ Block malicious IP addresses flagged in the scans.
As threat actors continue ramping up reconnaissance efforts, staying proactive in patching and monitoring is crucial to preventing future breaches.
