![\"Palo](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVlh6dseVQZIo9E7j4gKPiWbf9wDAoGVPr4DyhfsZB7iacAtu-Y5NAnMi1sWowgrtNrNQHhyphenhyphencPQgxvdClooUDsgL4e6FXfv5AjFQbVxQMO_PCcOfJ159qmn3kZbX1Q2o01jW1X0v16jPGCi8ttsPyLtwPmK6hZXduXtaA70Ioue0iCJUpU6Bd9myawUyb_/s790-rw-e365/scans.jpg\" "\\"Palo")
GreyNoise, a threat intelligence firm, revealed a significant increase in scanning activity targeting Palo Alto Networks login portals on October 3, 2025.
The surge in scanning activity saw a 500% rise in IP addresses scanning Palo Alto Networks login portals, marking the highest level recorded in the past three months. The scanning was described as targeted and structured, focusing mainly on Palo Alto login portals.
Approximately 1,300 unique IP addresses took part in the scanning, showing a notable increase from the previous count of around 200 unique IP addresses. Of these, 93% were classified as suspicious, while the remaining 7% were deemed malicious.
The majority of the IP addresses were geolocated in the U.S., with smaller clusters identified in the U.K., the Netherlands, Canada, and Russia.
![\"DFIR](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzU4HTrkySm0XtyBVGRYE0rh0Fu057BcqLPyQ1DkQue9iJF64vs2nAMMK_e93VgilDx3SGrwBOcUItR7l3WC46QCzJJznACknx0e3BkN5Hl5oW0T4adCH97EPaL2urebcGd8Ijj4t5a_FDHSrZnYEneLlQN4pORoNzFAHU2_kDDHlrOV7iMsKTIrcI3nWB/s728-rw-e100/cloud-insight-d.png\")
GreyNoise highlighted that the recent surge in Palo Alto scanning shared similarities with previous Cisco ASA scanning incidents, including regional clustering and tooling overlap.
Both the Cisco ASA and Palo Alto login scanning activities exhibited a dominant TLS fingerprint associated with infrastructure in the Netherlands.
In a similar incident in April 2025, GreyNoise reported suspicious login scanning targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to advise customers to update to the latest software versions.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSL8unb32Z0Z8LOXReWvebOCjk1qf8iGRhpgJS3sUUQXM_i233MjWncClfgIF2I_l_KhIjIeu_gJbMteo-RuF_rsXMd5pEDAyFFgPdKDOotyTAjjCOMcQ-UbxPsWDXFxSvrZrSVNFzydi3HhPKvQfYp9QCCC5_oOkqCp4JG8hODFOwO0vyEjgXottWJR2b/s790-rw-e365/attaxk.png\")
GreyNoise’s Early Warning Signals report from July 2025 suggested that spikes in malicious scanning activities often precede the disclosure of new CVEs impacting the same technology within six weeks.
In early September, GreyNoise warned about suspicious scans targeting Cisco Adaptive Security Appliance (ASA) devices, originating from over 25,100 IP addresses primarily located in Brazil, Argentina, and the U.S.
![\"CIS](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GpYnSEVgX-9xu8f-VEj7xbwYz7E6zxE6xL0Mfd6tE2wQ213wwvT8vkv9eqwMuEfEQllm8YJQUQglXFcA0kr6LlEYLvq7Lskyu5defaNo2Xq02wIg4tsGvkRuvj2DsW6rc3rfqDiqjQ3PolYAj0VqrBW2E7d70thPArHjR2RGL_UIVsJS0H_kmMOqjk9t/s728-rw-e100/cis-d.png\")
Cisco later disclosed two zero-day vulnerabilities in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to distribute malware families such as RayInitiator and LINE VIPER.
Data from the Shadowserver Foundation indicates that over 45,000 Cisco ASA/FTD instances are still vulnerable to these two vulnerabilities, with a significant number located in the U.S. and Europe.
