Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign

Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign

Briefly

"The threat intelligence firm initially warned of scanning attempts targeting Cisco ASA devices in early September, roughly three weeks before Cisco disclosed two zero-day vulnerabilities impacting Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. The bugs, tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), were exploited in attacks linked to the ArcaneDoor espionage campaign, which has been attributed to hackers based in China."

"Last week, GreyNoise warned of a massive increase in scanning activity related to Palo Alto Networks GlobalProtect login portals, as well as a surge in the count of unique ASNs involved. The cybersecurity firm noticed a 500% spike in scanning activity over a period of two days, originating from roughly 1,300 IPs. Within days, the number of involved unique IPs surged to 2,200, as more threat actors likely engaged in the activity."

"On Thursday, the company warned that the scanning campaigns targeting Cisco and Palo Alto Networks firewalls originate from IPs located on the same subnets, and that they can also be tied to brute forcing attacks targeting Fortinet VPNs. "Spikes in Fortinet VPN brute force attempts are typically followed by Fortinet VPN vulnerabilities disclosures within six weeks. Block all IPs brute forcing Fortinet SSL VPNs, and consider hardening defenses for firewall and VPN appliances amid these findings," GreyNoise says."