Threat intelligence firm GreyNoise disclosed on Friday that it has observed a massive spike in scanning activity targeting Palo Alto Networks login portals.
The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.
As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.
The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia.
“This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,” GreyNoise noted. “In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used.”
“Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.”
When reached for comment regarding the spike in activity, a spokesperson for the company said there are no signs of compromise.
“The security of our customers is always our top priority,” Palo Alto Networks said. “We have investigated the reported scanning activity and found no evidence of a compromise.”
“Palo Alto Networks is protected by our own Cortex XSIAM platform, which stops 1.5 million new attacks daily and autonomously reduces 36 billion security events into the most critical threats to ensure our infrastructure remains secure. We remain confident in our robust security posture and our ability to protect our network.”
In April 2025, GreyNoise reported a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software.
The development comes as GreyNoise noted in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.
In early September, GreyNoise warned about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S.
Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like RayInitiator and LINE VIPER.
Data from the Shadowserver Foundation shows that over 45,000 Cisco ASA/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities.
(The story was updated after publication to include a response from Palo Alto Networks.)
