Surge in Scanning Activity Targeting Palo Alto Networks: A Closer Look
Significant Increase in Scanning Attempts
On October 3, 2025, GreyNoise, a prominent threat intelligence firm, reported a staggering increase in scanning activities focused on Palo Alto Networks’ login portals. This surge represents nearly a 500% rise in unique IP addresses probing these portals, making it the highest level observed in the past three months. The firm identified around 1,300 distinct IP addresses engaged in this activity, a significant leap from just 200 addresses registered earlier.
Analysis of Malicious and Suspicious IPs
Digging deeper into the data, it turns out that 93% of these IPs are deemed suspicious, while 7% are classified as malicious. The geographical origins of these IP addresses are predominantly in the United States, with smaller groups noted in the United Kingdom, the Netherlands, Canada, and Russia. This distribution raises concerns about the potential motivations and backgrounds of the entities conducting these scans.
Similarities with Recent Cisco ASA Activity
GreyNoise drew parallels between this escalation in scanning activity and recent attempts aimed at Cisco Adaptive Security Appliance (ASA) devices over the last 48 hours. The characteristics of the scanning efforts show notable similarities, including regional clustering and shared fingerprinting overlap in the tools being used. Notably, both the Palo Alto and Cisco ASA scanning traffic exhibited a significant TLS fingerprint aligning with infrastructure based in the Netherlands.
Historical Context and Customer Advisory
Previously, in April 2025, GreyNoise had reported on suspicious scanning aimed at Palo Alto Networks’ PAN-OS GlobalProtect gateways. Consequently, the network security company advised its customers to ensure their systems were updated with the latest software versions to mitigate risks. This precautionary measure remains pertinent given the current spike in activity.
Correlation with Vulnerability Disclosures
This surge in scanning activities aligns with findings presented in GreyNoise’s Early Warning Signals report from July 2025. The report observed that such increases in malicious scans or brute-force attempts often precede the public disclosure of new Common Vulnerabilities and Exposures (CVEs) that affect the same technology within six weeks. This predictive insight underscores the need for vigilance in cybersecurity practices.
Recent Cisco ASA Vulnerabilities
Back in early September, GreyNoise had alerted the cybersecurity community about scans targeting Cisco ASA devices, dating back to late August. This initial wave comprised over 25,100 IP addresses, primarily from Brazil, Argentina, and the United States. Following these suspicious activities, Cisco later disclosed two new zero-day vulnerabilities in its ASA systems—CVE-2025-20333 and CVE-2025-20362—that have been exploited in real-world attacks.
Current Threat Landscape
Recent data from the Shadowserver Foundation highlights a pressing issue: over 45,000 Cisco ASA/FTD instances remain vulnerable, with more than 20,000 located in the United States and about 14,000 in Europe. The persistence of these vulnerabilities emphasizes the importance of proactive security measures among organizations that rely on Palo Alto Networks and Cisco products.
Final Thoughts
With this recent uptick in scanning targeting Palo Alto Networks, organizations must remain alert and ensure their systems are not only up to date but also closely monitored for any suspicious activity. As cybersecurity threats evolve, so must the strategies to combat them, reinforcing the need for robust security protocols and awareness.
