A significant spike in scanning activity targeting Palo Alto Network GlobalProtect login portals has been observed, with researchers concerned it may be a prelude to an upcoming attack or flaw being exploited.
According to GreyNoise, which reports the activity, the scanning activity involves over 24,000 unique source IP addresses. The activity peaked at 20,000 unique IP addresses per day on March 17, 2025, and continued at this scale until March 26.
Of those IPs, 23,800 are classified as “suspicious,” while 154 were validated by the threat monitoring firm as “malicious,” leaving little doubt about the activity’s true intentions.
Most of the scanning attempts originate from the United States and Canada. Most targeted systems are based in the United States, though other countries are targeted too.
Source: GreyNoise
GreyNoise noted that in the past, such spikes in network scanning have been linked to preparatory reconnaissance, which was eventually followed by the disclosure of flaws two to four weeks later.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” states Bob Rudis, VP of Data Science at GreyNoise.
“These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
GreyNoise underlined the consistency in how the scanning activity is performed, suggesting that it could be part of an effort to test network defenses before attempting targeted exploitation.
The researchers have also found a link to another activity they have been observing recently, concerning a PAN-OS crawler that also spiked on March 26, 2025, involving 2,580 IPs in its scans.
GreyNoise noted that the activity is reminiscent of the espionage campaign Cisco Talos attributed to ‘ArcaneDoor’ hackers roughly a year ago, targeting edge devices.
At this time, the exact nature and goals of this large-scale activity remain blurry, but the takeaway for administrators of internet-exposed Palo Alto Networks systems should be to elevate their vigilance against probing and potential exploitation attempts.
GreyNoise recommends reviewing logs since mid-March to evaluate if you have been targeted, hunt for signs of compromise, harden login portals, and block known malicious IPs (shared in the report).
BleepingComputer has contacted Palo Alto Networks for a comment on the activity Greynoise sees, and a spokesperson has sent the following statement:
“The security of our customers is always our top priority. Palo Alto Networks is aware of a recent blog posted by GreyNoise regarding scanning activity targeting PAN-OS GlobalPortect portals.”
“Our teams are actively monitoring this situation and analyzing the reported activity to determine its potential impact and identify if mitigations are necessary.”
“We encourage all customers to follow best practice of running the latest versions of PAN-OS.”
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
