Executive Summary
Beginning on November 14, 2025, cybersecurity researchers detected an unprecedented surge in malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN portals worldwide. Over 2.3 million scan sessions were recorded within days, emanating from a diverse array of global IP addresses and employing automated tools to probe for vulnerabilities and gather intelligence on remote-access infrastructure. While no large-scale exploitations or breaches have yet been confirmed, the scanning phase indicates advanced reconnaissance tactics that precede exploitation, raising significant concern for organizations relying on GlobalProtect for secure remote access.
This event highlights a sharp escalation in mass automated reconnaissance against widely deployed VPN systems, following recent critical vulnerabilities in VPN technologies and a growing attacker focus on initial access vectors. The trend reinforces the urgency for improved monitoring, swift patching, and modern segmentation controls in remote-access environments.
Why This Matters Now
This wave of scanning against GlobalProtect VPN portals is urgent because reconnaissance activity often precedes targeted exploitation, particularly as threat actors hunt for unpatched systems. The scale and speed of these probes highlight attackers' continuous adaptation and the need for organizations to proactively harden remote-access points and monitor for abnormal access patterns.
Attack Path Analysis
The attack began with widespread network reconnaissance and scanning of exposed GlobalProtect VPN portals to identify potential entry points. If vulnerable portals or weak authentication were found, attackers could attempt credential stuffing or exploit known flaws to gain access, potentially escalating privileges via misconfigurations or stolen accounts. Once inside, the adversary could move laterally between workloads or services within the cloud environment. Command and Control channels might be established using allowed protocols over the VPN connection. Exfiltration of sensitive information or credentials could ensue via outbound VPN traffic, followed by impact such as disabling security tools or deploying ransomware.
Kill Chain Progression
Initial Compromise
Description
Attackers launched automated network scans against exposed GlobalProtect VPN portals to identify weaknesses or vulnerable endpoints and attempted access through valid credentials or known exploits.
Related CVEs
CVE-2025-0133
CVSS 5.5A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect gateway and portal features of PAN-OS allows execution of malicious JavaScript in authenticated users' browsers when they click on specially crafted links.
Affected Products:
Palo Alto Networks PAN-OS – 11.2.x < 11.2.7, 11.1.x < 11.1.11, 10.2.x < 10.2.17, 10.1.x (all versions)
Exploit Status:
proof of conceptCVE-2025-0141
CVSS 8.4A privilege escalation vulnerability in Palo Alto Networks' GlobalProtect VPN allows locally authenticated users to escalate privileges to root on macOS and Linux, or to SYSTEM on Windows.
Affected Products:
Palo Alto Networks GlobalProtect – 6.3.x < 6.3.3-h2 (Windows), 6.2.x < 6.2.8-h3 (Windows), 6.1.x (all versions, Windows), 6.0.x (all versions, Windows), 6.3.x < 6.3.3 (Linux), 6.2.x (all versions, Linux), 6.1.x (all versions, Linux), 6.0.x (all versions, Linux)
Exploit Status:
no public exploitCVE-2024-3400
CVSS 10A critical unauthenticated remote code execution vulnerability in PAN-OS's GlobalProtect feature allows attackers to execute arbitrary code with root privileges on the firewall.
Affected Products:
Palo Alto Networks PAN-OS – 11.1.x < 11.1.2-h3, 11.0.x < 11.0.4-h1, 10.2.x < 10.2.9-h1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Active Scanning
Service Scanning
Permission Groups Discovery
Network Service Scanning
External Remote Services
Exploit Public-Facing Application
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Access Controls and Identity Management
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 10(1)
CISA ZTMM 2.0 – Monitor and Protect Remote Access
Control ID: Pillar: Identity, Policy: Identity Governance
NIS2 Directive – Incident Detection and Response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical VPN infrastructure vulnerability exposes financial institutions to network reconnaissance attacks, threatening encrypted traffic capabilities and compliance with PCI requirements.
Health Care / Life Sciences
GlobalProtect scanning campaigns threaten healthcare VPN security, compromising HIPAA-compliant encrypted communications and exposing patient data transmission vulnerabilities across medical networks.
Government Administration
Mass VPN portal probing creates significant government security risks, potentially compromising sensitive communications and threatening zero trust segmentation across federal agency networks.
Professional Training
Educational VPN infrastructure faces reconnaissance threats that could disrupt remote learning platforms and compromise secure connectivity for distributed training environments.
Sources
- GlobalProtect VPN portals probed with 2.3 million scan sessionshttps://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/Verified
- CVE-2025-0133: Palo Alto Networks GlobalProtect XSS Vulnerabilityhttps://www.shield53.com/insights/cve-2025-0133-palo-alto-networks-globalprotect-xss-vulnerabilityVerified
- Palo Alto Networks GlobalProtect Flaw Allows Privilege Escalationhttps://cyberpress.org/palo-alto-networks-globalprotect-flaw/Verified
- CVE-2024-3400 PAN-OS: Command Injection Vulnerability in GlobalProtecthttps://security.paloaltonetworks.com/CVE-2024-3400Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, real-time threat detection, and egress policy enforcement would have significantly constrained the progression of this attack, limiting exposure even if an initial foothold was achieved. CNSF capabilities provide layered defense by restricting lateral movement, detecting abnormal VPN activity, and preventing unauthorized data transfers.
Control: Cloud Firewall (ACF)
Mitigation: Unauthorized access attempts and scans are blocked and logged at the cloud perimeter.
Control: Zero Trust Segmentation
Mitigation: Compromised access is contained to only authorized resources, limiting privilege escalation risk.
Control: East-West Traffic Security
Mitigation: Attempts to traverse laterally are detected and blocked between isolated network segments.
Control: Threat Detection & Anomaly Response
Mitigation: C2 communications are rapidly detected and flagged for incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration attempts are blocked or logged for investigation.
Autonomous, inline controls constrain the blast radius and limit attacker impact.
Impact at a Glance
Affected Business Functions
- Remote Access
- Network Security
- Data Protection
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data due to unauthorized access through exploited vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to contain access strictly to required resources and minimize lateral movement risk.
- • Deploy Cloud Firewall and egress policy controls at all cloud entry points, especially around VPN portals, to block reconnaissance and unauthorized traffic.
- • Leverage real-time anomaly detection and threat intelligence to quickly identify and respond to suspicious scanning or C2 activity.
- • Apply strong east-west traffic security and microsegmentation within cloud environments to restrict internal attack paths.
- • Regularly review and update VPN configurations, credential hygiene, and security posture to ensure only legitimate access is permitted.
