Three exploitation campaigns concentrating on Cisco and Palo Alto Networks firewalls and Fortinet VPNs originate from IPs on the identical subnets, GreyNoise has found.
The risk intelligence agency initially warned of scanning makes an attempt concentrating on Cisco ASA units in early September, roughly three weeks earlier than Cisco disclosed two zero-day vulnerabilities impacting Safe Firewall Adaptive Safety Equipment (ASA) and Safe Firewall Menace Protection (FTD) software program.
The bugs, tracked as CVE-2025-20333 (CVSS rating of 9.9) and CVE-2025-20362 (CVSS rating of 6.5), have been exploited in assaults linked to the ArcaneDoor espionage marketing campaign, which has been attributed to hackers primarily based in China.
Final week, GreyNoise warned of an enormous enhance in scanning exercise associated to Palo Alto Networks GlobalProtect login portals, in addition to a surge within the depend of distinctive ASNs concerned.
The cybersecurity agency observed a 500% spike in scanning exercise over a interval of two days, originating from roughly 1,300 IPs. Inside days, the variety of concerned distinctive IPs surged to 2,200, as extra risk actors probably engaged within the exercise.
Over the previous week, GreyNoise noticed over 1.3 million distinctive login makes an attempt concentrating on the Palo Alto Networks firewalls, and has revealed a listing of the credentials used within the marketing campaign.
On Thursday, the corporate warned that the scanning campaigns concentrating on Cisco and Palo Alto Networks firewalls originate from IPs situated on the identical subnets, and that they will also be tied to brute forcing assaults concentrating on Fortinet VPNs.
“Spikes in Fortinet VPN brute drive makes an attempt are sometimes adopted by Fortinet VPN vulnerabilities disclosures inside six weeks. Block all IPs brute forcing Fortinet SSL VPNs, and take into account hardening defenses for firewall and VPN home equipment amid these findings,” GreyNoise says.Commercial. Scroll to proceed studying.
In truth, the risk intelligence agency says, roughly 80% of spikes in exercise concentrating on firewall and VPN merchandise from identified distributors are an early warning that new vulnerabilities in these merchandise are more likely to be disclosed throughout the following six weeks.
The three campaigns concentrating on Cisco, Fortinet, and Palo Alto Networks units share TCP fingerprints, leverage the identical subnets, and present elevated exercise at comparable instances.
“We assess with excessive confidence that each one three campaigns are not less than partially pushed by the identical risk actor(s),” GreyNoise says.
The corporate has additionally revealed a listing of credentials used within the Fortinet marketing campaign.
Associated: ZDI Drops 13 Unpatched Ivanti Endpoint Supervisor Vulnerabilities
Associated: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Associated: Hackers In search of Weak Palo Alto Networks GlobalProtect Portals
Associated: Fortinet FortiWeb Flaw Exploited within the Wild After PoC Publication
