Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High

GreyNoise reported a significant surge in scanning activity targeting Palo Alto Networks login portals on October 3, 2025. Observations indicate a 500% increase in IP addresses probing these interfaces within 48 hours, reaching a 90-day high. The activity appears highly targeted and involves potentially coordinated scanning clusters, suggesting organized preparation for exploitation rather than random noise. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the scale implies a heightened risk of credential harvesting or exploitation of known vulnerabilities affecting PAN-OS devices. Organizations utilizing Palo Alto Networks firewalls should prioritize immediate mitigation efforts. Recommended actions include enforcing multi-factor authentication, restricting management interface access to trusted IPs, and monitoring logs for unauthorized access attempts. Security teams must remain vigilant against potential follow-on attacks leveraging this reconnaissance phase to compromise network perimeters.

On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters.

GreyNoise reported a significant surge in scanning activity targeting Palo Alto Networks login portals on October 3, 2025. Observations indicate a 500% increase in IP addresses probing these interfaces within 48 hours, reaching a 90-day high. The activity appears highly targeted and involves potentially coordinated scanning clusters, suggesting organized preparation for exploitation rather than random noise. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the scale implies a heightened risk of credential harvesting or exploitation of known vulnerabilities affecting PAN-OS devices. Organizations utilizing Palo Alto Networks firewalls should prioritize immediate mitigation efforts. Recommended actions include enforcing multi-factor authentication, restricting management interface access to trusted IPs, and monitoring logs for unauthorized access attempts. Security teams must remain vigilant against potential follow-on attacks leveraging this reconnaissance phase to compromise network perimeters. On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters. On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters.