GreyNoise has discovered that attacks exploiting Cisco, Fortinet, and Palo Alto Networks vulnerabilities are launched from the same infrastructure.
October 10, 2025 By Ionut Arghire
Three exploitation campaigns targeting Cisco and Palo Alto Networks firewalls and Fortinet VPNs originate from IPs on the same subnets, GreyNoise has discovered.
The threat intelligence firm initially warned of scanning attempts targeting Cisco ASA devices in early September, roughly three weeks before Cisco disclosed two zero-day vulnerabilities impacting Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.
The bugs, tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), were exploited in attacks linked to the ArcaneDoor espionage campaign, which has been attributed to hackers based in China.
Last week, GreyNoise warned of a massive increase in scanning activity related to Palo Alto Networks GlobalProtect login portals, as well as a surge in the count of unique ASNs involved.
