Palo Alto Networks Under Siege Brute-Force Attacks Target GlobalProtect Gateways

Palo Alto Networks is keeping a close eye on brute-force login attempts aimed at its PAN-OS GlobalProtect gateways. This comes just days after security researchers spotted a surge in suspicious login scanning activity targeting these appliances.

According to a company spokesperson, "Our teams are seeing activity consistent with password-related attacks, like brute-force login attempts. This doesn't necessarily mean a vulnerability is being exploited." They added, "We're actively monitoring the situation and analyzing the reported activity to understand its potential impact and determine if we need to roll out any mitigations."

This situation unfolded after GreyNoise, a threat intelligence firm, flagged a sudden increase in suspicious login scanning focused on PAN-OS GlobalProtect portals.

Apparently, this activity kicked off around March 17, 2025, peaking at a whopping 23,958 unique IP addresses before tapering off near the end of the month. This pattern suggests a coordinated effort to poke at network defenses and find any vulnerable systems.

Where are these login attempts coming from? It seems like systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the primary targets.

Right now, the scope of these attacks and the actors behind them remain unknown. The Hacker News has reached out to Palo Alto Networks for further information and will update this story as soon as we have more to share.

What can you do?

In the meantime, Palo Alto Networks urges all customers to make sure they're running the latest version of PAN-OS. Beyond that, they recommend a few key security measures:

• Enable Multi-Factor Authentication (MFA): Seriously, do it!
• Configure GlobalProtect for MFA Notifications: Make sure users are notified.
• Implement Security Policies: Detect and block those brute-force attempts! Here's how.
• Limit Exposure: Don't expose unnecessary services to the internet.