Fast Facts

• 2.3 million scan attempts hit GlobalProtect VPN portals in just five days in November 2025.
• Malicious activity surged 40-fold within 24 hours, according to threat intelligence firm GreyNoise.
• Majority of scanning IP addresses were traced to Germany and Canada, coordinated through specific network providers.
• Similar spikes have historically preceded the discovery of new security flaws in VPN products.
• Palo Alto Networks has faced multiple breaches and high-profile vulnerabilities in the past year.

The Digital Drawbridge Under Attack

Picture a massive medieval castle, its drawbridge braced against invaders. Now imagine an army of unseen hands, 2.3 million strong, poking and prodding the gate - searching for a single loose brick. This is the reality facing organizations using Palo Alto Networks’ GlobalProtect VPN, as an unprecedented surge of digital scans battered their virtual front doors in mid-November 2025.

GreyNoise, a real-time threat intelligence company, sounded the alarm: between November 14 and 19, suspicious sessions targeting the GlobalProtect login page skyrocketed, dwarfing all activity seen in the previous three months. The scale - 40 times the usual background noise - suggests a coordinated campaign, not random background chatter.

Anatomy of a Probe: How Attackers Scout for Weakness

The attackers zeroed in on the "/global-protect/login.esp" web address - essentially the digital portal where employees log in to their company’s secure network. While most attempts failed, each scan was a calculated knock, testing for cracks, outdated software, or forgotten vulnerabilities. GreyNoise’s analysis revealed that most scanning IP addresses were clustered in Germany and Canada, funneled through two specific network providers (called ASNs).

Why so much interest? History offers clues. In the cybersecurity world, such spikes in probing activity often foreshadow the public disclosure of new software flaws. GreyNoise notes that 80 percent of these scan surges are followed by revelations of fresh vulnerabilities - especially in popular products like GlobalProtect. In 2025 alone, Palo Alto Networks faced two major attacks exploiting recently discovered flaws, and a high-profile data breach linked to the ShinyHunters group. Each incident highlighted the lucrative prize that VPN systems represent for cybercriminals: a master key to internal networks.

Global Stakes: Why VPN Probing Matters

VPNs are the unsung heroes of modern business, quietly connecting remote workers to sensitive data. But their very popularity makes them irresistible targets. The latest scan wave didn’t just focus on one country - the United States, Mexico, and Pakistan all saw similar levels of probing, suggesting attackers were casting a global net. The market impact is clear: every surge in scanning activity sows fear among IT teams, drives up demand for security services, and can even spook stock prices of affected vendors.

For businesses, the lesson is clear: treat every failed login or scan attempt not as harmless noise, but as an early warning. As attackers grow more sophisticated, even the most trusted digital gates can become vulnerable - unless they’re constantly reinforced and watched.

WIKICROOK

• VPN (Virtual Private Network): A VPN encrypts your internet connection and hides your IP address, providing extra privacy and security when browsing online or using public Wi-Fi.
• Scanning: Scanning is the automated probing of computer systems or networks to find vulnerabilities, often used by attackers and security professionals alike.
• ASN (Autonomous System Number): An ASN is a unique number identifying a group of IP addresses managed by one organization, used to trace and route internet traffic.
• Vulnerability: A vulnerability is a weakness in software or systems that attackers can exploit to gain unauthorized access, steal data, or cause harm.
• Data breach: A data breach is when unauthorized parties access or steal private data from an organization, often leading to exposure of sensitive or confidential information.