Security researchers warn of a notable increase in suspicious login scanning activity aimed at Palo Alto Networks’ PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses identified attempting to access the portals.
According to threat intelligence firm GreyNoise, the activity began on March 17, 2025, and persisted at a rate of nearly 20,000 unique IP addresses per day before subsiding on March 26. At its peak, the scanning activity reached 23,958 unique IP addresses. Although the majority of the IP addresses was classified as suspicious, 154 have been flagged as malicious, with the United States and Canada being the largest sources of traffic, followed by Finland, the Netherlands, and Russia.
“This pattern suggests a methodical approach aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” GreyNoise stated in a report. The scanning primarily targeted systems located in the United States, the United Kingdom, Ireland, Russia, and Singapore.
On the same note, the non-profit cybersecurity organization The Shadowserver Foundation warned it has observed exploitation attempts against a recently patched vulnerability in the CrushFTP file transfer solution.
The vulnerability, tracked as CVE-2025-2825, affects CrushFTP versions 10 and 11, and allows unauthenticated remote attackers to potentially gain access to systems. The vulnerability was discovered and publicly disclosed by the developers of CrushFTP, who released patches for versions 11.3.1+ and 10.8.4+ on March 21.
According to Shadowserver, on March 28, approximately 1,800 instances of unpatched CrushFTP software were still exposed worldwide. Over 900 of these vulnerable instances were located in the United States.
By March 31, Shadowserver observed a slight reduction in the number of vulnerable instances, but the organization’s honeypots began detecting dozens of exploitation attempts leveraging publicly available Proof of Concept (PoC) exploit code.
