PaloAlto GlobalProtect Traffic Spike and Future Zero-Days
You’ve likely heard concerning news from the security sector about an alarming increase in scanning activities targeting Palo Alto Networks GlobalProtect VPN portals. This isn’t merely an isolated event; it’s a significant surge of malicious traffic that has reached a 90-day peak.
So, what transpired, what does this imply, and how secure is Palo Alto? We’ve simplified the information for you, so there’s no need to sift through countless vendor blogs.
1. The Data at a Glance: A 40-Fold Increase in Activity
Beginning on November 14, 2025, GreyNoise, a firm focused on threat intelligence, detected a shocking rise in malicious traffic. Targeting the /global-protect/login.esp endpoint—essentially the gateway users employ to access their Palo Alto firewalls—this malicious activity surged by nearly 40 times within just one day.
GreyNoise documented around 2.3 million sessions overwhelming these login endpoints. This wasn’t mere background noise; it was a deliberate act of reconnaissance.
Evidence of Coordination:
- Concentration of Infrastructure: A significant 62% of the traffic originated from a single network, AS200373 (3xK Tech GmbH), primarily located in Germany. This clustering indicates a coordinated effort by one or more persistent threat actors, which is concerning as they have previously targeted Palo Alto setups.
- Technical Signatures: The activity exhibited consistent TCP/JA4t signatures, serving as a distinctive technical fingerprint linking this campaign to earlier malicious activities.
2. The Disturbing Forecast: The 80% Rule
You might wonder why a traffic spike, which could be a brute-force attack, should concern you. GreyNoise has identified a recurrent pattern in the industry, especially with VPN and firewall vendors like Fortinet and Cisco.
The firm previously noted a strong historical connection between intense scanning and new security vulnerabilities:
“Our research indicates that spikes in attacker activity often precede new vulnerabilities impacting the same vendor—80% of the time, these are followed by a CVE disclosure within six weeks.”
This implies that attackers may discover and test zero-day vulnerabilities prior to public knowledge, leading to this scanning frenzy as they aim to find targets before patches are released. This is why security teams are on high alert; such focused activity frequently signals an imminent major vulnerability announcement.
3. Palo Alto’s Official Response: “No Compromise Detected”
Did this spike indicate a successful pre-exploit attack? According to Palo Alto Networks, the answer is no.
Following an examination of the reported scanning activities by GreyNoise, the company communicated an update on November 24:
“We have no evidence of a compromise following our investigation of the reported scanning activity.”
An official spokesperson confirmed that Palo Alto’s infrastructure remains secure, reinforced by their Cortex XSIAM platform, which reportedly thwarts millions of new attacks daily.
Conclusion
If you operate an exposed GlobalProtect login portal, ensure you take the following precautions:
- Implement Multi-Factor Authentication (MFA): Never rely solely on passwords for VPN access.
- Utilise Geo-Blocking: If your users are centralized in one location, consider blocking logins from unexpected regions such as Germany and Canada (the primary sources of the surge).
- Monitor Logs Vigilantly: Keep an eye on login anomalies and watch for repeated attempts directed at the
/global-protect/login.espURI.
While Palo Alto has stated they found no evidence of a compromise, the increased malicious scanning activity is undeniable. Whether threat actors were probing for newly undisclosed zero-days or exploring outdated vulnerabilities, maintaining vigilance is crucial.
