Palo Alto Networks has revealed that it’s observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances.
“Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability,” a spokesperson for the company told The Hacker News. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.”
The development comes after threat intelligence firm GreyNoise alerted of a spike in suspicious login scanning activity aimed at PAN-OS GlobalProtect portals.
The company further noted that the activity commenced on March 17, 2025, hitting a peak of 23,958 unique IP addresses before dropping off towards the end of last month. The pattern indicates a coordinated effort to probe network defenses and identify exposed or vulnerable systems.
The login scanning activity has primarily singled out systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It’s currently not known how widespread these efforts are and if they are the work of any specific threat actor at this stage. The Hacker News has reached out to Palo Alto Networks for additional comments, and we will update the story if we hear back.
In the interim, all customers are encouraged to ensure that they are running the latest versions of PAN-OS. Other mitigations include enforcing multi-factor authentication (MFA), configuring GlobalProtect to facilitate MFA notifications, setting up security policies to detect and block brute-force attacks, and limiting unnecessary exposure to the internet.
