Palo Alto Networks is closely monitoring a wave of brute-force login attempts targeting its PAN-OS GlobalProtect gateways
just days after cybersecurity experts observed a sharp increase in suspicious scanning activity against the company’s appliances.
A spokesperson for Palo Alto Networks confirmed to The Hacker News that their teams are seeing signs of password-related attacks, such as brute-force login attempts. However, they emphasized that these incidents do not appear to involve any known vulnerabilities in the system. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary,” the spokesperson said.
This alert follows a warning from threat intelligence firm GreyNoise, which reported a notable spike in login scanning activity targeting GlobalProtect portals. According to their findings, the surge began on March 17, 2025, peaking at nearly 23,958 unique IP addresses, before tapering off by the end of the month. This pattern suggests a coordinated effort to test network defenses and find potentially vulnerable systems.
Most of the observed scanning activity has been directed at systems located in the United States, United Kingdom, Ireland, Russia, and Singapore. As of now, it remains unclear how widespread the attacks are or if they can be attributed to a particular threat actor. The Hacker News has reached out to Palo Alto Networks for further information and is awaiting an update.
In the meantime, Palo Alto Networks strongly advises customers to take proactive security measures. This includes updating to the latest PAN-OS versions, enabling multi-factor authentication (MFA), configuring GlobalProtect to support MFA notifications, implementing security policies to detect and prevent brute-force attempts, and reducing unnecessary internet exposure of systems.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
