In an escalating campaign targeting remote access infrastructure, threat actors have initiated active exploitation attempts against Palo Alto Networks’ GlobalProtect VPN portals.
GrayNoise tracking activity report scans and exploitation efforts originating from more than 7,000 unique IP addresses worldwide, raising alarms for organizations relying on the popular VPN solution for secure remote work.
The attacks, first detected in late November 2025, focus on vulnerabilities in GlobalProtect gateways, particularly those exposed on the internet via UDP port 4501.
According to data from Shadowserver and other threat intelligence feeds, the IP sources span residential proxies, bulletproof hosting providers, and compromised VPS instances across Asia, Europe, and North America.
“This isn’t opportunistic scanning; actors are probing for weak configurations and chaining them with known exploits,” noted a researcher from a major cybersecurity firm, who spoke on condition of anonymity.
Palo Alto Networks’ GlobalProtect has long been a prime target due to its ubiquity in enterprise environments. Historical flaws, such as CVE-2024-3400 (a critical command injection vulnerability patched in April 2024 with CVSS score 9.8), continue to haunt unpatched systems.
Recent waves exploit misconfigurations allowing pre-authentication access, including default credentials or exposed admin portals. Attackers deploy tools like custom scripts mimicking Metasploit modules to enumerate portals, brute-force logins, and drop malware for persistence.
Mandiant’s latest threat report attributes similar tactics to Chinese state-affiliated groups like UNC4841, though no single actor has been definitively linked to this surge.
Indicators of compromise include anomalous UDP traffic spikes to port 4501, followed by HTTP requests to /global-protect/login.urd endpoints. In confirmed breaches, intruders have exfiltrated session tokens, enabling lateral movement into corporate networks.
Palo Alto Networks issued an urgent advisory on December 5, urging customers to enforce multi-factor authentication (MFA), restrict portal exposure via firewalls, and apply the latest patches.
“GlobalProtect remains secure when properly configured, but internet-facing portals are high-value targets,” the company stated. CISA has added related IOCs to its Known Exploited Vulnerabilities catalog, advising federal agencies to patch within 72 hours.
Experts recommend air-gapping critical portals, implementing zero-trust segmentation, and monitoring for beaconing to C2 servers like those hosted on AWS or Azure. As hybrid work persists, this campaign underscores the fragility of legacy VPNs against industrialized attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
