Threat Intelligence Firm Greynoise revealed on Friday that a large spike was being observed in scan activities targeting the Palo Alto Networks login portal.
The company said it observed on October 3, 2025 that a nearly 500% increase in IP addresses scanning the Palo Alto Networks login portal was the highest recorded level in the last three months. It describes traffic as targeted and structured and aims primarily to the Palo Alto login portal.
As many as 1,300 unique IP addresses have participated in this effort, a major jump from around 200 unique IP addresses previously observed. Of these IP addresses, 93% are classified as suspicious and 7% are malicious.
The majority of IP addresses are immersed in the US and smaller clusters have been detected in the UK, Netherlands, Canada and Russia.
“This Palo Alto Surge shares features with Cisco ASA scans that have occurred over the past 48 hours,” says Greynoise. “In both cases, the scanner showed overlapping regional clustering and fingerprints with the tools used.”
“The login scan traffic from both Cisco Asa and Palo Alto over the past 48 hours shares the dominant TLS fingerprint tied to Dutch infrastructure.”
When contacted to comment on the surge in activity, a company spokesman said there were no signs of compromise.
“Your security is always a top priority,” the Palo Alto Network said. “We investigated reported scan activity but found no evidence of compromise.”
“Palo Alto Networks is protected by its own Cortex XSIAM platform, which stops 1.5 million new attacks every day, autonomously reduces 36 billion security events to the most critical threats, ensuring your infrastructure.
In April 2025, Greynoise reported similar suspicious login scan activity targeting Palo Alto Networks Pan-OS Global-Protect Gateways, urging network security companies to urge customers to run the latest version of their software.
This development will often be followed by a surge in malicious scans, brute enhancements or exploit attempts, as Greynoise noted in its early warning signal report in July 2025, with disclosures of new CVEs affecting the same technology within six weeks.
In early September, Greynoise warned of a suspicious scan that occurred in late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first waves came from over 25,100 IP addresses, mainly in Argentina and Brazil, the United States.
A few weeks later, Cisco disclosed two new zero-days in the CISCO ASA (CVE-2025-20333 and CVE-2025-20362) that were exploited in real-world attacks to deploy malware families such as Reynatiators and Line Vipers.
Shadowserver Foundation data shows that over 45,000 Cisco ASA/FTD instances have over 20,000 people in the US and approximately 14,000 people in Europe, making them susceptible to two vulnerabilities.
(The story was updated after publication to include answers from Palo Alto Networks.)
