Three exploitation campaigns targeting Cisco and Palo Alto Networks firewalls and Fortinet VPNs originate from IPs on the same subnets, GreyNoise has discovered.
The threat intelligence firm initially warned of scanning attempts targeting Cisco ASA devices in early September, roughly three weeks before Cisco disclosed two zero-day vulnerabilities impacting Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.
The bugs, tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), were exploited in attacks linked to the ArcaneDoor espionage campaign, which has been attributed to hackers based in China.
Last week, GreyNoise warned of a massive increase in scanning activity related to Palo Alto Networks GlobalProtect login portals, as well as a surge in the count of unique ASNs involved.
The cybersecurity firm noticed a 500% spike in scanning activity over a period of two days, originating from roughly 1,300 IPs. Within days, the number of involved unique IPs surged to 2,200, as more threat actors likely engaged in the activity.
Over the past week, GreyNoise observed over 1.3 million unique login attempts targeting the Palo Alto Networks firewalls, and has published a list of the credentials used in the campaign.
On Thursday, the company warned that the scanning campaigns targeting Cisco and Palo Alto Networks firewalls originate from IPs located on the same subnets, and that they can also be tied to brute forcing attacks targeting Fortinet VPNs.
“Spikes in Fortinet VPN brute force attempts are typically followed by Fortinet VPN vulnerabilities disclosures within six weeks. Block all IPs brute forcing Fortinet SSL VPNs, and consider hardening defenses for firewall and VPN appliances amid these findings,” GreyNoise says.
In fact, the threat intelligence firm says, roughly 80% of spikes in activity targeting firewall and VPN products from known vendors are an early warning that new vulnerabilities in these products are likely to be disclosed within the following six weeks.
The three campaigns targeting Cisco, Fortinet, and Palo Alto Networks devices share TCP fingerprints, leverage the same subnets, and show elevated activity at similar times.
“We assess with high confidence that all three campaigns are at least partially driven by the same threat actor(s),” GreyNoise says.
The company has also published a list of credentials used in the Fortinet campaign.
Related: ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities
Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Related: Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals
Related: Fortinet FortiWeb Flaw Exploited in the Wild After PoC Publication
