Hackers Launch Widespread Attacks on Palo Alto GlobalProtect Portals from 7,000+ IPs

Threat actors have started actively trying to exploit Palo Alto Networks' GlobalProtect VPN portals as part of a growing campaign against remote access infrastructure.

According to a GrayNoise activity report on the tracking of attacks and attempts to compromise GlobalProtect gateways globally via scans originating from more than 7000 unique IP addresses, there is a lot of concern for businesses utilizing the popular VPN service to enable workers to operate remotely from their homes.

The initial attack patterns observed in late November 2025 demonstrated actors looking for vulnerabilities on GlobalProtect gateways, particularly as it relates to being able to access these systems via UDP port 4501 (also known as GlobalProtect).

As per Shadowserver's data, as well as numerous other sources of Threat Intelligence, the victim's source of attack is via compromised VPS instances, residential proxies, and bulletproof hosting platforms (Asia-Pacific, Europe, and North America).

A researcher from a major Cybersecurity firm, who chose to remain anonymous, stated, "This is not an opportunistic scan type of attack; the actor is actively seeking misconfigured systems and then using pursuance of consorted / chain attacks based upon known exploits."

Because Palo Alto Networks' GlobalProtect is so common in businesses, it has long been a top target. Unpatched systems are still affected by historical flaws like CVE-2024-3400, a critical command injection vulnerability that was fixed in April 2024 and has a CVSS score of 9.8.

Recent waves take advantage of misconfigurations that let people log in before they are authenticated, such as default credentials or open admin portals. Attackers use tools like custom scripts that act like Metasploit modules to find portals, brute-force logins, and drop malware to keep it around.

Mandiant's most recent threat report says that Chinese state-affiliated groups like UNC4841 use similar methods, but no one group has been definitively linked to this rise.

Signs of a breach include strange spikes in UDP traffic to port 4501, followed by HTTP requests to the /global-protect/login.urd endpoints. In confirmed breaches, hackers have stolen session tokens, which lets them move sideways into corporate networks.

On December 5, Palo Alto Networks issued an urgent warning telling customers to use multi-factor authentication (MFA), limit portal exposure through firewalls, and install the latest patches.

"The company said, "GlobalProtect stays safe when set up correctly, but portals that face the internet are high-value targets." CISA has added related IOCs to its Known Exploited Vulnerabilities catalog and told federal agencies to fix the problems within 72 hours.

Experts say that important portals should be air-gapped, zero-trust segmentation should be used, and beaconing to C2 servers like those hosted on AWS or Azure should be watched for. This campaign shows how weak old VPNs are against industrialized attacks as hybrid work continues.