Attackers are probing Palo Alto Networks GlobalProtect portals

Cybersecurity company GreyNoise is warning about a significant increase of scanning activity targeting internet-facing Palo Alto Networks GlobalProtect portals in the last 30 days, and has urged organizations with exposed systems to secure them and look for signs of compromise.

“The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation,” the company said.

“Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future.”

The bigger picture

The Palo Alto Networks GlobalProtect portal is a core part of the GlobalProtect VPN solution for enterprises. It’s a server that usually located behind a Palo Alto firewall, and it’s through it that remote users authenticate and receive the configuration to a GlobalProtect gateway that will create a secure tunnel into the corporate network.

GreyNoise linked multiple login attempts back to the same login scanner tool by leveraging three unique digital “fingerprints” (JA4h hashes) of connection patterns they observed.

Most of the observed scanning activity happened between March 17 and March 26, 2025, from nearly 24,000 unique IP addresses. It overwhelming targeted systems in the United States, but also in the UK, Ireland, Russia, and Singapore.

“Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs),” the company noted.

On March 26, they also noticed a short-lived spike in crawler activity aimed at pinpointing GlobalProtect system components that could potentially be vulnerable to command injection.

“Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise,” GreyNoise advised.

UPDATE (April 2, 2025, 04:00 a.m. ET):

“Palo Alto Networks is aware of a recent blog posted by GreyNoise regarding scanning activity targeting PAN-OS GlobalPortect portals. Our teams are actively monitoring this situation and analyzing the reported activity to determine its potential impact and identify if mitigations are necessary,” a company spokesperson told Help Net Security.

“We encourage all customers to follow best practice of running the latest versions of PAN-OS.”

UPDATE (April 11, 2025, 09:00 a.m. ET):

“Our teams are observing evidence of activity consistent with password-related attacks, such as brute force login attempts, which does not indicate exploitation of a vulnerability. We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary,” a Palo Alto Networks spokesperson told Help Net Security.