New password spraying attacks target Cisco, PAN VPN gateways

Published:

18 december 2025 om 17:27:25

Alert date:

18 december 2025 om 18:04:12

Source:

bleepingcomputer.com

Network Infrastructure, Identity & Access

An automated campaign is conducting password spraying attacks against multiple VPN platforms, specifically targeting Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways. These credential-based attacks represent active threats against enterprise VPN infrastructure, potentially allowing unauthorized access to corporate networks. The attacks appear to be part of a coordinated campaign using automated tools to test common credentials against VPN endpoints.

Technical details

Automated credential-based password spraying campaign targeting VPN platforms. On December 11, GreyNoise observed 1.7 million login attempts against GlobalProtect portals in 16 hours from over 10,000 unique IP addresses. Attacks originated from 3xK GmbH (Germany) IP space using Firefox user agent uncommon for automated activity. On December 12, same infrastructure began targeting Cisco SSL VPN endpoints with 1,273 unique attack IPs (baseline <200). Attacks used scripted credential probing with normal authentication flows including CSRF handling, indicating automated credential attacks rather than exploits.

Mitigation steps:

Use strong passwords and multi-factor authentication protection. Audit network appliances for unexpected login attempts. Block known malicious IPs performing credential probes. Monitor for unusual login patterns and automated credential attempts.

Affected products:

Palo Alto Networks GlobalProtect
Cisco SSL VPN
Cisco AsyncOS
Cisco Secure Email Gateway (SEG)
Cisco Secure Email and Web Manager (SEWM)