On 3 October 2025, GreyNoise reported a ~500% increase in unique IPs scanning Palo Alto Networks GlobalProtect/PAN-OS login portals, the highest level in 90 days; open-source coverage between 4–8 October corroborated elevated reconnaissance volumes and noted US-heavy scanning with additional clusters hitting Pakistan. In parallel, Cisco has warned of a large-scale brute-force campaign against VPN, web auth, and SSH services tracked by Talos since 18 March 2024, and with active exploitation of Cisco ASA/FTD VPN web services disclosed 25 September 2025.
Analysis: The GlobalProtect scan spike is highly likely preparatory reconnaissance for credential-stuffing or exploit development rather than noise, based on the scale and concentration GreyNoise reported. It is likely that cross-vendor VPN and portal infrastructure will face elevated probing in the near term given the concurrent, actively exploited Cisco ASA and FTD web-services flaws and the US government’s emergency order on 25 September 2025 requiring agencies to immediately hunt for and mitigate compromise on those Cisco ASA/FTD devices.
The Security Brief 