Threat Intelligence firm Greenois on Friday revealed that it had observed a spike in the target activity targeting Palo Alto Network Login portals.
The company said it saw an increase of about 500% in the highest level recorded in the last three months, the IP address scanning the Palo Alto Network Login portals on October 3, 2025. This described traffic as targeted and structured, and mainly targeted Palo Alto Login portals.
1,300 unique IP addresses have participated in the attempt, a significant jump from about 200 unique IP addresses seen earlier. Of these IP addresses, 93% are classified as suspects and 7% is malicious.
With small groups in the UK, Netherlands, Canada and Russia, the vast majority of IP addresses have been geolocated in the US.
“This Palo Alto Surge Shares the characteristics in the last 48 hours with Cisco ASA scanning,” Greenois said. “In both cases, the scanner performed regional clustering and fingerprint overlap in the tooling used.”
“In the last 48 hours, Cisco ASA and Palo Alto login scanning traffic shares a major TLS fingerprint tied to the infrastructure in the Netherlands.”
In April 2025, Greenois reported a similar suspected login scanning activity, targeting the Palo Alto Network PAN-OS GlobalProette Gateway, urging the network safety company to ensure that they were running the latest version of software.
The development came in July 2025 as Granoze in its initial warning signals report, which increases malicious scanning, brut-froresing, or exploitation efforts after the disclosure of a new CVE affecting the same technique within six weeks.
In early September, Greenois warned of the suspected scan to be held in late August, targeting the Cisco Adaptive Security Appliances (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina and America.
Weeks later, Cisco revealed two new zero-days in Cisco ASA (CVE-2025-203333 and CVE-2025-20362), which was exploited to deploy malware families such as reinteters and line wipers in real-world attacks.
Data of Shadowseerver Foundation suggests that more than 45,000 Cisco ASA/FTD examples, of which more than 20,000 are located in the US and are located in about 14,000 Europe, are still susceptible to two weaknesses.
