Palo Alto Networks faced a **massive, coordinated brute-force cyberattack** targeting its **GlobalProtect VPN systems**, beginning on **November 14, 2025**. The assault escalated rapidly, with a **40-fold spike in malicious sessions** (2.3 million attacks) in 24 hours, focusing on the `/global-protect/login.esp` endpoint. Threat actors exploited **distributed infrastructure**, primarily via **AS200373 (3xK Tech GmbH, Germany)** and secondary ASNs, using **consistent JA4t fingerprints** to evade detection. While no confirmed data breach occurred yet, the attack’s scale and **historical correlation with pre-exploitation scanning** (similar to past Fortinet VPN breaches) suggests **imminent risk of vulnerability exploitation**. The campaign’s **indiscriminate global targeting** (U.S., Mexico, Pakistan) and **highly organized nature** (temporal patterns, ASN concentration) indicate a **sophisticated threat actor** probing for weaknesses. Though currently a **brute-force operation**, unpatched systems (e.g., **CVE-2025-0108**, an **actively exploited authentication bypass**) heighten the risk of **follow-on attacks**, including **credential theft, lateral movement, or ransomware deployment**. Organizations were urged to **patch immediately**, restrict VPN access, and block malicious IPs. The incident underscores **critical vulnerabilities in enterprise VPN security**, with potential **operational disruption, reputational damage, and financial losses** if exploited further.
Source: https://cyberpress.org/2-3-million-attacks-hit-palo-alto-networks-globalprotect-vpn-portals/
Palo Alto Networks Unit 42 cybersecurity rating report: https://www.rankiteo.com/company/unit42
"id": "UNI1532215112025",
"linkid": "unit42",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Millions of GlobalProtect VPN '
'login portals targeted',
'industry': 'Cybersecurity',
'location': 'Global (Primary targets: United States, '
'Mexico, Pakistan)',
'name': 'Palo Alto Networks',
'type': 'Technology Company'}],
'attack_vector': ['Brute-Force Scanning',
'Credential Stuffing',
'Exploitation of VPN Login Portals'],
'customer_advisories': ['Palo Alto Networks customers advised to patch '
'systems and monitor for suspicious activity.'],
'date_detected': '2025-11-14',
'date_publicly_disclosed': '2025-11-14',
'description': 'Security researchers at GreyNoise uncovered a massive spike '
'in cyberattacks targeting Palo Alto Networks GlobalProtect '
'VPN systems. The assault began on November 14, 2025, '
'escalating into a coordinated campaign striking millions of '
'login portals worldwide. The attack intensity surged 40-fold '
'in a single day, marking the highest activity level recorded '
'in the past 90 days. Approximately 2.3 million malicious '
'sessions targeted the /global-protect/login.esp URI on Palo '
'Alto PAN-OS and GlobalProtect systems. The campaign '
'demonstrated consistent TCP/JA4t signatures and temporal '
'patterns, suggesting a persistent and organized operation. '
'Primary attack sources included AS200373 (3xK Tech GmbH, '
'Germany) and AS208885 (Noyobzoda Faridduni Saidilhom), with '
'the U.S., Mexico, and Pakistan as top targets. The campaign '
'appears to be a brute-force scanning operation, potentially '
'signaling upcoming exploitation of vulnerabilities.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in Palo '
'Alto VPN security'],
'identity_theft_risk': ['High (if credentials are compromised)'],
'operational_impact': ['Increased risk of unauthorized access',
'Potential for follow-on attacks'],
'systems_affected': ['Palo Alto Networks GlobalProtect VPN systems',
'PAN-OS management interfaces']},
'initial_access_broker': {'entry_point': ['/global-protect/login.esp URI'],
'high_value_targets': ['Enterprise VPN systems',
'PAN-OS management '
'interfaces'],
'reconnaissance_period': 'Ongoing since '
'mid-November 2025'},
'investigation_status': 'Ongoing (GreyNoise assessment)',
'lessons_learned': ['Brute-force spikes against VPN systems (e.g., Fortinet) '
'often precede vulnerability disclosures by ~6 weeks.',
'Distributed hosting infrastructure (e.g., AS200373) can '
'obfuscate threat actor origins.',
'Consistent JA4t fingerprints can help attribute '
'coordinated campaigns.',
'Rate limiting and IP blocking are critical for '
'mitigating brute-force attacks.'],
'motivation': ['Reconnaissance',
'Potential Future Exploitation',
'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': ['Patch management for VPN '
'systems',
'Network segmentation for '
'VPN infrastructure',
'Enhanced monitoring for '
'brute-force patterns '
'(e.g., JA4t fingerprints)',
'Blocklist management for '
'malicious ASNs/IPs'],
'root_causes': ['Unpatched vulnerabilities in '
'GlobalProtect/PAN-OS '
'(CVE-2025-0108, etc.)',
'Lack of rate limiting on '
'authentication endpoints',
'Exposure of VPN login portals to '
'untrusted networks']},
'recommendations': ['Immediately upgrade to patched versions of PAN-OS and '
'GlobalProtect.',
'Restrict VPN management interface access to trusted IPs.',
'Monitor for anomalous traffic from AS200373 (3xK Tech '
'GmbH, Germany) and AS208885 (Noyobzoda Faridduni '
'Saidilhom).',
'Implement rate limiting on VPN authentication endpoints '
'(/global-protect/login.esp).',
'Block malicious IPs using GreyNoise Block or similar '
'solutions.',
'Prepare for potential follow-on exploitation of '
'undisclosed vulnerabilities.'],
'references': [{'date_accessed': '2025-11-14',
'source': 'GreyNoise Intelligence Report'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV (for '
'CVE-2025-0108)']},
'response': {'containment_measures': ['Upgrade to patched versions of '
'PAN-OS/GlobalProtect',
'Restrict management interface access '
'to trusted internal IPs',
'Monitor for anomalous login attempts '
'from suspicious ASNs (AS200373, '
'AS208885)',
'Implement rate limiting on VPN '
'authentication endpoints'],
'enhanced_monitoring': ['Monitor for JA4t fingerprints: '
'65495_2-4-8-1-3_65495_7, '
'33280_2-4-8-1-3_65495_7'],
'remediation_measures': ['Apply patches for CVE-2025-0108, '
'CVE-2025-2183, CVE-2025-0141, '
'CVE-2025-0140',
'Block malicious IPs via GreyNoise '
'Block solution'],
'third_party_assistance': ['GreyNoise (threat intelligence and '
'blocking solutions)']},
'threat_actor': {'attribution_confidence': 'High (assessed by GreyNoise)',
'tactics_techniques_procedures': ['Brute-force scanning',
'Distributed hosting '
'infrastructure (AS200373, '
'AS208885)',
'Consistent JA4t '
'fingerprints '
'(65495_2-4-8-1-3_65495_7, '
'33280_2-4-8-1-3_65495_7)',
'Temporal patterns '
'matching previous '
'campaigns']},
'title': 'Massive Brute-Force Campaign Targeting Palo Alto Networks '
'GlobalProtect VPN Systems',
'type': ['Brute-Force Attack', 'Coordinated Campaign', 'Reconnaissance'],
'vulnerability_exploited': [{'affected_versions': ['PAN-OS 10.1',
'10.2',
'11.1',
'11.2 (unpatched '
'versions)'],
'cve_id': 'CVE-2025-0108',
'cvss_score': 7.8,
'description': 'Authentication bypass in PAN-OS '
'management interface',
'status': 'Actively exploited, added to CISA '
'KEV'},
{'affected_versions': ['GlobalProtect 6.0-6.3 '
'(Windows, Linux)'],
'cve_id': 'CVE-2025-2183',
'cvss_score': 4.5,
'description': 'Improper certificate validation '
'in GlobalProtect App leading to '
'privilege escalation',
'status': 'Patched in GlobalProtect 6.3.3-h2, '
'6.2.8-h3'},
{'affected_versions': ['GlobalProtect 6.0-6.3 '
'(macOS, Windows, Linux)'],
'cve_id': 'CVE-2025-0141',
'cvss_score': 5.7,
'description': 'Privilege escalation '
'vulnerability in GlobalProtect '
'App',
'status': 'Patched in GlobalProtect 6.3.3-h1, '
'6.2.8-h2, 6.2.8'},
{'affected_versions': ['GlobalProtect 6.0-6.3 '
'(macOS)'],
'cve_id': 'CVE-2025-0140',
'cvss_score': 4.3,
'description': 'Non-admin user can disable '
'GlobalProtect App',
'status': 'Patched in GlobalProtect 6.3.3-h1, '
'6.2.8-h2'}]}