GlobalProtect VPN Portals Hit by 2.3 Million Cyber Scans
▼ Summary
– Malicious scanning of Palo Alto Networks GlobalProtect VPN portals surged 40 times in 24 hours, reaching a 90-day high starting November 14, 2025.
– GreyNoise attributes this activity to coordinated campaigns based on recurring technical fingerprints, ASN reuse, and timing alignment with previous attacks.
– The primary autonomous systems involved are AS200373 (62% German IPs) and AS208885, targeting the */global-protect/login.esp URI with 2.3 million sessions.
– Login attempts primarily targeted the United States, Mexico, and Pakistan, with scanning spikes typically preceding new security flaw disclosures in 80% of cases.
– This follows earlier 2025 incidents including October’s 500% scanning increase and February’s exploitation of CVEs, plus a September Palo Alto data breach.
A dramatic and coordinated surge in malicious scanning has struck Palo Alto Networks GlobalProtect VPN portals, with activity levels skyrocketing fortyfold within a single day. This aggressive campaign, which began on November 14, 2025, represents the highest volume of cyber scans observed in the past ninety days. Real-time threat intelligence firm GreyNoise first detected the rapid escalation, noting that the number of scanning sessions targeting these critical remote access gateways reached an alarming 2.3 million over a five-day period.
The primary target of these scans is the specific web endpoint “*/global-protect/login.esp,” which is the authentication page for users connecting to a VPN through a Palo Alto Networks firewall. GreyNoise emphasizes that these are not random failed attempts but malicious probes that organizations should actively block and monitor. Historical data reveals a troubling pattern: such scanning spikes are frequently a precursor to the public disclosure of new security vulnerabilities, a correlation that is particularly strong for Palo Alto Networks products.
This recent wave of activity is not an isolated incident. GreyNoise assesses with high confidence that it is connected to earlier campaigns, citing recurring technical fingerprints, the reuse of specific Autonomous System Numbers (ASNs), and the synchronized timing of the activity surges. The primary network infrastructure used in these attacks is linked to AS200373 (3xK Tech GmbH), with a majority of the involved IP addresses geolocated to Germany. A secondary network, AS208885 (Noyobzoda Faridduni Saidilhom), is also implicated in the malicious scanning.
The login attempts themselves have been primarily directed at organizations in the United States, Mexico, and Pakistan, with relatively even distribution across these countries. This follows a trend observed earlier in the year. In early October, GreyNoise reported a 500% increase in IP addresses scanning GlobalProtect and PAN-OS profiles, with an overwhelming 91% classified as suspicious. A similar spike occurred in April 2025, involving 24,000 IP addresses.
The context for this heightened scanning activity is a year marked by significant security challenges for Palo Alto Networks. In February, attackers actively exploited a series of vulnerabilities, including CVE-2025-0108, which was later chained with other flaws to increase the potency of attacks. Furthermore, a data breach disclosed in September, attributed to the ShinyHunters group’s “Salesloft Drift” campaign, resulted in the exposure of customer data and support cases. The current massive scanning effort underscores the persistent and evolving threat facing widely used enterprise security infrastructure.
(Source: Bleeping Computer)
