Attack Wave on Remote-Access Infrastructure — Hackers Target Palo Alto GlobalProtect VPN Portals from 7,000+ IPs Worldwide

A major security alert has been issued for organisations using Palo Alto Networks’ GlobalProtect VPN after researchers observed a large-scale coordinated attack wave targeting exposed VPN portals worldwide. Beginning in late November and continuing through December 2025, security analysts detected malicious probing and authentication-brute-force attempts originating from more than 7,000 unique IP addresses across Europe, Asia, South America, and the Middle East.

Security experts believe this represents one of the largest distributed scanning and exploitation campaigns against enterprise remote-access infrastructure seen this year.

According to early threat-intelligence telemetry, attackers are specifically focusing on GlobalProtect portals exposing UDP port 4501, a service commonly used for VPN tunnelling and client communication. The attack patterns show automated scripts attempting to exploit known weaknesses, brute-force login credentials, and trigger misconfigured authentication workflows. While no novel zero-day has been confirmed, researchers warn that even small misconfigurations in GlobalProtect deployments can allow attackers to gain a foothold in corporate networks.

Security teams analyzing the log data report that the attacker traffic originates from a blend of botnets, compromised servers, cloud datacenters, and anonymity networks, making attribution extremely difficult. This distributed model allows adversaries to overwhelm logs, evade geo-blocking, and avoid traditional threat-intelligence blacklists. Researchers note that the volume and diversity of the IPs indicate that the campaign is not opportunistic — but instead a structured and highly coordinated reconnaissance operation, possibly conducted by an advanced threat group preparing for follow-up intrusions.

The potential impact is significant: compromised VPN portals may allow attackers to perform credential harvesting, session hijacking, and — in worst cases — achieve remote network access with the same privileges as legitimate employees. This is especially problematic for organisations still relying on VPN-centric architectures rather than zero-trust models. Security specialists highlight that once attackers bypass the VPN, they can move laterally inside the network, access internal applications, or deploy ransomware without triggering perimeter-based alarms.

Palo Alto Networks has not reported a new vulnerability related to this incident, but urges all organisations to review their GlobalProtect configurations, update to the latest software versions, and enforce strong authentication controls. Analysts recommend that companies restrict VPN portal access using IP allow-listing, enforce MFA with phishing-resistant methods (FIDO2, hardware keys), and enable continuous monitoring for unusual login patterns such as repeated failures from foreign IP blocks.

This attack wave reflects a broader trend in 2025: threat actors are increasingly targeting remote-access infrastructure as a primary entry vector. As more companies adopt hybrid work models, VPNs remain heavily exposed to the internet, making them attractive targets for intrusion attempts. The scale of this campaign serves as a reminder that enterprise perimeter systems continue to be a high-risk component — and require constant review, hardening, and real-time monitoring to defend against widespread automated threats.