Data Connects Scanning Surges for Cisco, Fortinet, PAN Devices
Researchers say that all three campaigns are being driven at least in part by one threat actor.

Researchers say that all three campaigns are being driven at least in part by one threat actor.
October 8, 2025 | 2 min read
Ongoing scanning activity by attackers looking for specific products from Cisco, Fortinet, and Palo Alto Networks are continuing to scale up and researchers say that all three campaigns are being driven at least in part by one threat actor.
GreyNoise data shows a significant spike in scanning for Palo Alto login portals in the last few days, activity that is happening at the same time as large-scale scanning for Fortinet SSL VPN devices and vulnerable Cisco ASA devices. All three of those campaigns are using many of the same subnets, GreyNoise researchers said.
“We assess with high confidence that all three campaigns are at least partially driven by the same threat actor,” GreyNoise wrote.
The data shows that there is elevated activity against all three types of devices at the same time, and that the actors are in many cases relying on shared infrastructure. The activity related to Fortinet SSL VPN devices is a jump in brute force login attempts, while the Cisco ASA scanning is related to the disclosure of zero days in those devices last week. Attackers were exploiting the Cisco ASA flaws before the public disclosure.
“GreyNoise analysis shows that this Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours. In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used. Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TCP fingerprint tied to infrastructure in the Netherlands. This comes after GreyNoise initially reported an ASA scanning surge before Cisco’s disclosure of two ASA zero-days,” GreyNoise said.
“In the past days, GreyNoise has observed an escalation in scanning against Palo Alto Networks PAN-OS GlobalProtect login portals. Since our original reporting of ~1,300 IPs in the afternoon of 3 October, we have observed a sharp rise in the daily number of unique IPs scanning for Palo login portals.”
GreyNoise has published a list of the known usernames and passwords tied to the Palo Alto login attempts, and a separate list for the Fortinet attacks.
October 8, 2025 | 2 min read
Dennis Fisher is an award-winning journalist and author. He is one of the co-founders of Decipher and Threatpost and has been writing about cybersecurity since 2000. Dennis enjoys finding the stories behind the headlines and digging into the motivations and thinking of both defenders and attackers. He is the author of 2.5 novels and once met Shaq. Contact: dennis at decipher.sc.