Threat intelligence firm GreyNoise [disclosed](https://www.greynoise.io/blog/palo-alto-scanning-surges) on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals.The company said it observed a nearly 500% increase in IP addresses [scanning](https://viz.greynoise.io/tags/palo-alto-networks-login-scanner?days=1) Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia. ’This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,’ GreyNoise noted. ‘In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used.”Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.’In April 2025, GreyNoise [reported](https://thehackernews.com/2025/04/nearly-24000-ips-target-pan-os.html) a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software. The development comes as GreyNoise [noted](https://thehackernews.com/2025/08/fortinet-ssl-vpns-hit-by-global-brute.html) in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.In early September, Greynoise [warned](https://thehackernews.com/2025/09/weekly-recap-drift-breach-chaos-zero.html#:~:text=Surge%20in%20Scanning%20Activity%20Targeting%20Cisco%20ASA) about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S. Weeks later, Cisco [disclosed](https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html) two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like [RayInitiator and LINE VIPER](https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html).Data from the Shadowserver Foundation [shows](https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-20333%2B&tag=cve-2025-20362%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on) that over 45,000 Cisco ASA/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities. Found this article interesting? Follow us on [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), [Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.
Related Tags:
CVE-2025-20333
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: The Hacker News
Associated Indicators: