Cybersecurity experts have detected a significant increase in suspicious login scanning activity targeting Palo Alto Networks’ PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.

This pattern is indicative of a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation, according to threat intelligence firm GreyNoise, who reported the surge.

The scanning activity, which commenced on March 17, 2025, sustained at nearly 20,000 unique IP addresses per day before dropping off on March 26, with a peak of 23,958 unique IP addresses participating. Notably, only a smaller subset of 154 IP addresses has been flagged as malicious.

The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.

Although the motivation behind this activity is currently unclear, it suggests a systematic approach to testing network defenses, which could likely pave the way for later exploitation.

Bob Rudis, VP of Data Science at GreyNoise, noted, “Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies. These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”

In light of this unusual activity, it is essential that organizations with internet-facing Palo Alto Networks instances take immediate action to secure their login portals.

The Hacker News has reached out to Palo Alto Networks for further comment and will update the story if a response is received.