Active Attacks on GlobalProtect VPN Portals — What You Need to Know

Introduction

Remote-access VPNs remain a critical part of modern enterprise infrastructure, especially as remote and hybrid work continue to grow. However, their importance also makes them attractive targets for attackers. In late 2025, security researchers observed a significant surge in automated scanning and login attempts targeting Palo Alto Networks GlobalProtect VPN portals.

These activities highlight an ongoing trend: publicly exposed VPN services are consistently probed at scale, often as a precursor to credential abuse or vulnerability exploitation. This article explains what GlobalProtect is, what researchers observed during the recent surge, why it matters, and how organizations can reduce risk.

What Is GlobalProtect?

GlobalProtect is the VPN and remote-access solution provided by Palo Alto Networks, operating on the PAN-OS platform. It is widely used by enterprises, government organizations, healthcare providers, and educational institutions to provide secure remote connectivity for employees and contractors.

Because GlobalProtect portals are often accessible from the public internet, they can become high-value targets — particularly when configurations are outdated, credentials are weak, or additional authentication controls are not enforced.

The 2025 Attack Surge: Scope and Activity

Security intelligence firms and industry publications reported several notable spikes in activity throughout 2025:

• In November 2025, GreyNoise recorded approximately 2.3 million scan sessions targeting GlobalProtect login endpoints in a coordinated campaign

• This activity represented an estimated 40-fold increase within a 24-hour period, the highest level observed against GlobalProtect portals in recent months

• Earlier in the year (March–April 2025), nearly 24,000 unique IP addresses were observed scanning GlobalProtect portals over a 30-day period

• In October 2025, researchers reported a jump from roughly 200 daily scanning IPs to between 1,300 and 2,200, a spike of around 500%

These figures indicate widespread, automated, and persistent probing rather than isolated or opportunistic behavior.

What Attackers Are Doing

Automated Scanning and Reconnaissance

The most common behavior observed was automated scanning. Attackers probe exposed GlobalProtect portals to determine:

• Whether the portal is reachable

• Which PAN-OS or GlobalProtect version is running

• How the login endpoint responds

This reconnaissance helps attackers identify potential targets across large portions of the internet. Researchers noted consistent scanning patterns, often associated with specific infrastructure providers or autonomous system numbers (ASNs).

Brute-Force and Credential-Stuffing Attempts

In addition to scanning, many sessions involved repeated login attempts. At this scale, attackers are likely using credential lists from previous breaches to attempt access on any portal with weak or reused credentials.

While not every scan results in compromise, even a small success rate can provide attackers with valid remote access to enterprise networks.

Possible Precursor to Exploitation

Historically, large-scale scanning activity has sometimes preceded the public disclosure or exploitation of new vulnerabilities. This does not guarantee an exploit is imminent, but it does suggest attackers may be identifying unpatched or misconfigured systems for future targeting.

Why This Surge Matters

Several factors make this activity noteworthy:

• Scale and automation: Millions of sessions and thousands of IP addresses indicate coordinated campaigns, not random noise

• Global reach: Observed targets span multiple regions, including North America, Asia, and beyond

• Risk of compromise: Successful credential abuse or exploitation could lead to unauthorized access, data exposure, ransomware deployment, or persistent network intrusion

• VPNs as a common attack vector: VPN gateways remain one of the most frequently targeted external services in enterprise environments

Even organizations that have not yet been compromised may still face elevated risk if basic protections are not in place.

Who Is Most at Risk?

Organizations and users at higher risk include:

• Enterprises with publicly exposed GlobalProtect portals

• Environments using default or weak authentication settings

• Remote-work infrastructures relying heavily on VPN access

• Administrators who have not enabled multi-factor authentication (MFA)

• Systems that expose web-based or clientless VPN login pages without additional controls

Industries such as healthcare, education, SaaS, and government are often targeted due to their reliance on remote access and sensitive data.

How to Reduce Risk and Strengthen VPN Security

Organizations managing GlobalProtect or similar VPN solutions should consider the following defensive measures:

Enforce Strong Authentication

• Require MFA for all VPN users

• Enforce strong, unique password policies

• Disable legacy or unused accounts

Limit Portal Exposure

• Restrict access by IP range or geography where feasible

• Avoid unnecessary public exposure of login portals

• Consider Zero-Trust or identity-aware access models

Keep Systems Updated

• Regularly patch PAN-OS and GlobalProtect components

• Monitor vendor security advisories and apply fixes promptly

Monitor and Respond

• Review logs for repeated failed logins or unusual access patterns

• Set alerts for abnormal authentication behavior

• Investigate spikes in traffic to VPN endpoints

Use Threat Intelligence

• Block known malicious IPs or ASNs when appropriate

• Leverage reputable threat-intelligence feeds to improve detection

Final Thoughts

The recent wave of automated scanning and login attempts targeting GlobalProtect VPN portals reinforces a familiar lesson: remote-access infrastructure remains a primary attack surface. As attackers continue to operate at scale, organizations can no longer afford a “set-and-forget” approach to VPN security.

In 2025, protecting VPN access requires continuous monitoring, strong authentication, regular patching, and thoughtful exposure management. For teams responsible for remote-access systems, this activity serves as a timely reminder to review configurations and strengthen defenses before attackers find an opportunity.

More Cyber & VPN News