Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign

GreyNoise has discovered that attacks exploiting Cisco, Fortinet, and Palo Alto Networks vulnerabilities are launched from the same infrastructure.

Global cyberattack

Three exploitation campaigns targeting Cisco and Palo Alto Networks firewalls and Fortinet VPNs originate from IPs on the same subnets, GreyNoise has discovered.

The threat intelligence firm initially warned of scanning attempts targeting Cisco ASA devices in early September, roughly three weeks before Cisco disclosed two zero-day vulnerabilities impacting Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.

The bugs, tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), were exploited in attacks linked to the ArcaneDoor espionage campaign, which has been attributed to hackers based in China.

Last week, GreyNoise warned of a massive increase in scanning activity related to Palo Alto Networks GlobalProtect login portals, as well as a surge in the count of unique ASNs involved.

The cybersecurity firm noticed a 500% spike in scanning activity over a period of two days, originating from roughly 1,300 IPs. Within days, the number of involved unique IPs surged to 2,200, as more threat actors likely engaged in the activity.

Over the past week, GreyNoise observed over 1.3 million unique login attempts targeting the Palo Alto Networks firewalls, and has published a list of the credentials used in the campaign.

Advertisement. Scroll to continue reading.

On Thursday, the company warned that the scanning campaigns targeting Cisco and Palo Alto Networks firewalls originate from IPs located on the same subnets, and that they can also be tied to brute forcing attacks targeting Fortinet VPNs.

“Spikes in Fortinet VPN brute force attempts are typically followed by Fortinet VPN vulnerabilities disclosures within six weeks. Block all IPs brute forcing Fortinet SSL VPNs, and consider hardening defenses for firewall and VPN appliances amid these findings,” GreyNoise says.

In fact, the threat intelligence firm says, roughly 80% of spikes in activity targeting firewall and VPN products from known vendors are an early warning that new vulnerabilities in these products are likely to be disclosed within the following six weeks.

The three campaigns targeting Cisco, Fortinet, and Palo Alto Networks devices share TCP fingerprints, leverage the same subnets, and show elevated activity at similar times.

“We assess with high confidence that all three campaigns are at least partially driven by the same threat actor(s),” GreyNoise says. 

The company has also published a list of credentials used in the Fortinet campaign.

Related: ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities

Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches

Related: Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals

Related: Fortinet FortiWeb Flaw Exploited in the Wild After PoC Publication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.