{“lastseen”:”2025-10-04T10:54:21″,”description”:”\\n\\nThreat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals.\\n\\nThe company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.\\n\\nAs many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.\\n\\nThe vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia.\\n\\n\\n\\n\\”This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,\\” GreyNoise noted. \\”In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used.\\”\\n\\n\\”Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.\\”\\n\\nIn April 2025, GreyNoise reported a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software.\\n\\n\\n\\nThe development comes as GreyNoise noted in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.\\n\\nIn early September, Greynoise warned about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S.\\n\\n\\n\\nWeeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like RayInitiator and LINE VIPER.\\n\\nData from the Shadowserver Foundation shows that over 45,000 Cisco ASA\/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-10-04T10:39:00″,”modified”:”2025-10-04T10:39:33″,”type”:”thn”,”title”:”Scanning Activity on Palo Alto Networks Portals Jump 500% in One Day”,”source”:””,”references”:””,”id”:”THN:4FF8C822A5171920004E8E15342728DE”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2025-20333″,”CVE-2025-20362″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/10\/scanning-activity-on-palo-alto-networks.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-04T10:54:21″,”description”:”\\n\\nThreat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals.\\n\\nThe…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,45,12,13,7,11,43,5],"class_list":["post-20221","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n