A threat intelligence provider first flagged scanning probes aimed at Cisco ASA gear in early September—about three weeks prior to Cisco's revelation of two zero-day flaws affecting Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) systems.
These flaws, cataloged as CVE-2025-20333 (with a CVSS rating of 9.9) and CVE-2025-20362 (CVSS 6.5), were weaponized in strikes connected to the ArcaneDoor cyberespionage effort, pinned on China-originating intruders.
Just last week, GreyNoise highlighted a dramatic uptick in probes against Palo Alto Networks GlobalProtect entry points, coupled with a sharp rise in distinct ASNs participating.
The security outfit detected a 500% jump in scan volume across two days, stemming from around 1,300 IP addresses. Soon after, the tally of unique IPs climbed to 2,200, suggesting additional adversaries piling on.
In the last seven days, GreyNoise tracked more than 1.3 million distinct log-in bids against Palo Alto firewalls and released a roster of the usernames and passwords deployed in the push.
On Thursday, the firm cautioned that the scan waves hitting Cisco and Palo Alto firewalls trace back to IPs in overlapping subnets, and they link up with brute-force barrages against Fortinet VPNs as well.
“Rises in Fortinet VPN brute-force efforts often precede vulnerability announcements for those systems by up to six weeks. Lock down every IP attempting to brute-force Fortinet SSL VPNs, and shore up protections for firewall and VPN hardware based on this intel,” urged GreyNoise.
Indeed, the intel group asserts that about 80% of such activity surges against established firewall and VPN makers foreshadow fresh disclosures in those tools within the next six weeks.
The offensives against Cisco, Fortinet, and Palo Alto setups exhibit matching TCP signatures, draw from identical subnets, and ramp up during overlapping windows.
“We're highly confident these three operations are at minimum partly steered by overlapping threat groups,” GreyNoise concluded.
The outfit also shared a compilation of login combos spotted in the Fortinet assault.