Surge in Malicious Scanning of Palo Alto Networks GlobalProtect VPN Portals Raises Security Alarms
A sudden, dramatic spike in malicious scanning of Palo Alto Networks GlobalProtect VPN portals has put security teams on high alert. Between November 14 and 19, 2025, over 2.3 million scan sessions targeted the /global-protect/login.esp endpoint—a staggering 40-fold increase in just 24 hours, as reported by GreyNoise. This isn’t just a random uptick; it’s the largest surge in the past three months and part of a recurring pattern that’s been building throughout 2025.
What makes this wave of scanning particularly concerning is its timing and coordination. Attackers appear to be synchronizing their efforts with the disclosure of new vulnerabilities, often ramping up reconnaissance just before public advisories are released. The infrastructure behind these campaigns is both sophisticated and global, with a heavy concentration of activity traced to specific Autonomous System Numbers (ASNs) in Germany and Canada. These campaigns are not only widespread but also highly targeted, focusing on organizations in the United States, Mexico, and Pakistan—regions with significant Palo Alto Networks deployments.
The stakes are high: VPN portals serve as digital gateways to internal networks, and a successful breach can open the door to credential theft, lateral movement, and deeper exploitation. The attackers’ evolving tactics—leveraging distributed infrastructure, recurring TCP/JA4t fingerprints, and operational discipline—underscore the need for defenders to stay vigilant and proactive (BleepingComputer).
What’s Behind the Surge: Dissecting the GlobalProtect VPN Scanning Frenzy
Escalation Patterns and Timing of Scanning Campaigns
A detailed analysis of the recent surge in malicious scanning of Palo Alto Networks GlobalProtect VPN portals reveals a dramatic escalation in both frequency and scale. According to GreyNoise, between November 14 and 19, 2025, there were approximately 2.3 million scan sessions targeting the /global-protect/login.esp endpoint, a web interface used for VPN authentication on Palo Alto firewalls. This spike represents a 40-fold increase within a 24-hour period, marking the highest activity in the preceding 90 days.
This pattern of escalation is not isolated. Earlier in October 2025, GreyNoise documented a 500% increase in unique IP addresses scanning GlobalProtect and PAN-OS profiles, with the majority of these IPs classified as suspicious or malicious. In April 2025, another significant spike was observed, involving 24,000 distinct IP addresses. The recurrence and amplification of these events point to a cyclical and coordinated approach by threat actors, who appear to time their campaigns around periods of heightened vulnerability or anticipated disclosures of new flaws (BleepingComputer).
Attribution and Infrastructure of Malicious Scanning
The infrastructure supporting these scanning campaigns is both complex and international in scope. Analysis of the Autonomous System Numbers (ASNs) associated with the malicious traffic highlights a concentration of activity. The primary ASN identified is AS200373 (3xK Tech GmbH), with 62% of related IP addresses geolocated in Germany and 15% in Canada. A secondary ASN, AS208885 (Noyobzoda Faridduni Saidilhom), is also implicated in the campaigns. The repeated use of the same ASNs, as well as recurring TCP/JA4t fingerprints, suggests a high degree of operational continuity and resource reuse by the attackers (BleepingComputer).
The global distribution of scanning sources, with a notable European and North American footprint, indicates that the campaigns are not limited to a single region or actor. Instead, they reflect a broader, possibly commoditized, ecosystem of scanning services and botnets leveraged for reconnaissance and exploitation. This infrastructure enables attackers to quickly pivot and scale their operations in response to emerging opportunities or vulnerabilities.
Correlation with Security Vulnerability Disclosures
A critical aspect of the scanning frenzy is its temporal correlation with the disclosure of new vulnerabilities. GreyNoise reports that in 80% of cases, spikes in scanning activity on Palo Alto Networks products precede the public disclosure of security flaws. This correlation is particularly pronounced for GlobalProtect VPN portals, where attackers appear to anticipate forthcoming advisories or exploit releases and intensify their reconnaissance efforts accordingly (BleepingComputer).
Notably, 2025 has seen multiple high-profile vulnerabilities affecting Palo Alto Networks products, including CVE-2025-0108, which was later chained with CVE-2025-0111 and CVE-2024-9474. These vulnerabilities have been actively exploited in the wild, with attackers using scanning activity to identify unpatched systems before defenders can respond. The pattern suggests that threat actors are closely monitoring vendor advisories and security research, using scanning as a prelude to targeted exploitation.
Target Selection and Geographic Distribution
The scanning campaigns are not indiscriminate; they exhibit clear patterns of target selection and geographic focus. The majority of login attempts are directed at organizations in the United States, Mexico, and Pakistan, with similar volumes observed across these countries (BleepingComputer). This geographic distribution may reflect the prevalence of Palo Alto Networks deployments in these regions, as well as the strategic value of compromising entities with significant digital infrastructure.
The targeting of VPN portals is particularly significant, as these endpoints serve as gateways to internal networks and are often exposed to the internet. Successful compromise of a VPN portal can provide attackers with privileged access, enabling lateral movement and further exploitation. The focus on authentication endpoints underscores the attackers’ intent to harvest credentials or exploit authentication-related vulnerabilities.
Evolution of Attacker Tactics and Defensive Implications
The tactics employed in the recent scanning surge demonstrate an evolution in both sophistication and persistence. Attackers are leveraging large-scale, automated scanning to rapidly enumerate exposed GlobalProtect portals, often using distributed infrastructure to evade detection and blocking. The use of recurring TCP/JA4t fingerprints and ASN reuse indicates a level of operational discipline, with attackers refining their methods based on past successes and failures (BleepingComputer).
From a defensive perspective, the surge in scanning activity serves as an early warning indicator of impending exploitation campaigns. Security teams are advised to treat such reconnaissance as a precursor to attacks, rather than dismissing it as benign or irrelevant. Proactive measures, such as network segmentation, multi-factor authentication, and timely patching, are essential to mitigate the risk posed by these campaigns. Additionally, organizations should monitor for anomalous login attempts and scanning activity, particularly from IP addresses associated with known malicious ASNs.
The cyclical nature of the scanning surges, combined with their alignment to vulnerability disclosures, highlights the need for continuous vigilance and rapid response capabilities. As attackers become more adept at exploiting windows of exposure, defenders must prioritize the hardening of internet-facing assets and the implementation of robust detection and response mechanisms.
Note:
All information and statistics referenced are sourced from BleepingComputer and associated GreyNoise reports as of November 20, 2025. This report is focused solely on the technical and operational aspects of the recent surge in malicious scanning targeting Palo Alto Networks GlobalProtect VPN portals, in accordance with the specified requirements.
Final Thoughts
The November 2025 surge in malicious scanning of Palo Alto Networks GlobalProtect VPN portals is a textbook example of how threat actors adapt and scale their operations in response to emerging vulnerabilities. The cyclical, coordinated nature of these campaigns—often peaking just before new flaws are disclosed—highlights the importance of rapid patching, robust authentication, and continuous monitoring. Organizations must treat scanning activity as a serious precursor to exploitation, not just background noise.
As attackers refine their methods and leverage global infrastructure, defenders need to prioritize hardening internet-facing assets and investing in detection and response capabilities. The lessons from this incident extend beyond Palo Alto Networks: any widely deployed technology can become a target when vulnerabilities emerge. Staying ahead requires a blend of technical vigilance, timely intelligence, and a willingness to adapt—qualities that will define cybersecurity resilience in 2025 and beyond (BleepingComputer).
References
- Cimpanu, C. (2025, November 20). GlobalProtect VPN portals probed with 2.3 million scan sessions. BleepingComputer. https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/
