Enterprise security teams are on high alert after an extraordinary 500% spike in mass scanning activity was detected against Palo Alto Networks and Cisco ASA firewall platforms. Over the past 48 hours, coordinated reconnaissance and exploitation attempts have surged, signaling an intensifying threat to critical perimeter defenses—and indicating that recent vulnerabilities are being rapidly weaponized by threat actors.
The Surge: Unprecedented Reconnaissance
On October 3, 2025, threat intelligence analysts recorded a staggering increase in the number of unique IPs scanning Palo Alto Networks login portals—rising from a typical 200 daily to over 1,300, 93% of which were flagged as suspicious. Simultaneously, Cisco ASA devices saw more than 25,000 distinct scanning IPs, with most activity traced to the Americas and parts of Europe. Analysis shows strong similarities in both fingerprinting and infrastructure used in these scanning waves, reinforcing that they are part of a coordinated, highly targeted campaign.
Recent Vulnerabilities: What’s Being Exploited?
Research shows that surges like these almost always precede public exploit releases or active in-the-wild attacks leveraging fresh vulnerabilities. Here’s what defenders need to know.
Palo Alto Networks: PAN-OS and GlobalProtect
- CVE-2025-0108: A critical authentication bypass in PAN-OS management web interface. Allows unauthenticated attackers network access to sensitive scripts. Exploited in the wild; organizations running obsolete versions face serious integrity and confidentiality risks. Patches are available for PAN-OS 11.2, 11.1, 10.2, and 10.1 branches.
- CVE-2025-2183: A medium-severity flaw in GlobalProtect VPN on Windows and Linux. Insufficient certificate validation enables privilege escalation and installation of malicious software, exploitable by attackers on adjacent networks.
- CVE-2025-32433: Maximum-severity (CVSS 10.0) RCE in Erlang/OTP SSH, abused in attacks against operational technology networks. Allows unauthenticated code execution simply by sending especially crafted SSH messages, affecting multiple Erlang/OTP versions potentially embedded in OT firewall stacks.
Cisco ASA and Firepower
- CVE-2025-20333: Critical RCE in Cisco ASA/FTD VPN web server, scored CVSS 9.9. Authenticated attackers can execute code as root, fully compromising the device.
- CVE-2025-20362: Allows unauthenticated access to restricted VPN URL endpoints, aiding credentials theft and lateral movement (CVSS 6.5).
- CVE-2025-20363: Affects ASA, FTD, IOS/IOS XE/IOS XR with Remote Access VPN enabled. Enables arbitrary code execution—unauthenticated on ASA/FTD, authenticated attack on other platforms (CVSS 9.0).
- These Cisco flaws have been exploited in the wild by advanced threat actors since September 2025. Attacks include malware implantation, command execution, and persistent compromise by modifying device ROM, even surviving firmware upgrades.
Exploitation in the Wild: What’s Happening?
- Scanning activity on both product lines ramped up just weeks after Cisco’s disclosure of active zero-day exploitation (ArcaneDoor campaign) and Palo Alto vulnerabilities linked to bypass and privilege escalation.
- Adversaries, likely advanced persistent threat (APT) groups, are leveraging these bugs to implant malware, maintain persistence, and maneuver laterally into enterprise networks—often before vendors release patches.
- CISA issued an emergency directive for federal agencies, mandating immediate mitigations for vulnerable ASA appliances, underscoring the urgent risk—even to properly maintained environments.
Defense: What Should Security Teams Do Now?
- Immediately update to the latest available firmware for both Palo Alto and Cisco ASA/FTD devices, prioritizing those exposed to remote access.
- Audit access controls around all firewall and VPN portals. Implement multifactor authentication and limit external management to trusted sources only.
- Monitor logs for surges in unauthenticated login attempts, unusual web traffic spikes to administrative interfaces, and scan for forensic evidence of compromise.
- Use threat intelligence feeds and blocklists, like those from GreyNoise, to dynamically filter IPs engaged in these recent scanning campaigns.
