Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High

GreyNoise researchers have detected a substantial increase in malicious scanning activity directed at Palo Alto Networks GlobalProtect portals. Starting November 14, 2025, traffic intensified dramatically, resulting in a 40-fold surge within a single day, reaching a 90-day peak. This spike indicates heightened reconnaissance efforts potentially preceding exploitation attempts against known vulnerabilities in GlobalProtect infrastructure. While no specific threat actor or malware family has been publicly attributed to this campaign at this time, the volume suggests coordinated activity. Organizations utilizing Palo Alto Networks devices should immediately verify their internet-facing portals are patched against known CVEs, restrict access via allow-listing, and monitor logs for unusual authentication attempts. Enhanced vigilance is required to prevent unauthorized access or subsequent compromise resulting from this escalated scanning campaign targeting critical network perimeter defenses.

GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.

GreyNoise researchers have detected a substantial increase in malicious scanning activity directed at Palo Alto Networks GlobalProtect portals. Starting November 14, 2025, traffic intensified dramatically, resulting in a 40-fold surge within a single day, reaching a 90-day peak. This spike indicates heightened reconnaissance efforts potentially preceding exploitation attempts against known vulnerabilities in GlobalProtect infrastructure. While no specific threat actor or malware family has been publicly attributed to this campaign at this time, the volume suggests coordinated activity. Organizations utilizing Palo Alto Networks devices should immediately verify their internet-facing portals are patched against known CVEs, restrict access via allow-listing, and monitor logs for unusual authentication attempts. Enhanced vigilance is required to prevent unauthorized access or subsequent compromise resulting from this escalated scanning campaign targeting critical network perimeter defenses. GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high. GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.