A massive escalation in attacks targeting Palo Alto Networks PAN-OS GlobalProtect login portals, with over 2,200 unique IP addresses conducting reconnaissance operations as of October 7, 2025. 

This represents a significant surge from the initial 1,300 IPs observed just days earlier, marking the highest scanning activity recorded in the past 90 days according to GreyNoise Intelligence monitoring.

The reconnaissance campaign began with a sharp 500% increase in scanning activity on October 3, 2025, when researchers observed approximately 1,300 unique IP addresses probing Palo Alto login portals. 

This initial surge already represented the largest burst of scanning activity in three months, with daily volumes previously rarely exceeding 200 IPs during the preceding 90-day period.

Palo Alto PAN-OS GlobalProtect Login Portals Surge

The escalating attack campaign demonstrates sophisticated coordination across geographically distributed infrastructure. 

GreyNoise analysis reveals that 91% of the malicious IP addresses are geolocated to the United States, with additional clusters concentrated in the United Kingdom, the Netherlands, Canada, and Russia. 

Security researchers have identified approximately 12% of all ASN11878 subnets allocated to scanning Palo login portals, indicating significant infrastructure commitment to this operation.

The attack methodology suggests threat actors are systematically iterating through large credential databases, with login attempt patterns indicating automated brute-force operations against GlobalProtect SSL VPN portals. 

GreyNoise has published a comprehensive dataset containing unique usernames and passwords from Palo login attempts observed during the past week, enabling security teams to assess potential credential exposure.

Technical analysis reveals that 93% of participating IP addresses were classified as suspicious, while 7% received malicious designations. 

The scanning activity exhibits distinct regional clustering patterns with separate TCP fingerprints, suggesting multiple coordinated threat groups operating simultaneously.

Security researchers have identified potential correlations between the Palo Alto scanning surge and concurrent reconnaissance operations targeting Cisco ASA devices. 

Both attack campaigns share dominant TCP fingerprints linked to infrastructure in the Netherlands, along with similar regional clustering behaviors and tooling characteristics.

The cross-technology targeting suggests a broader reconnaissance campaign against enterprise remote access solutions. 

Concurrent surges observed across multiple remote access service platforms, though the exact relationship between these activities remains under investigation.

The targeted nature of these attacks is evident from their focus on GreyNoise’s emulated Palo Alto profiles, including GlobalProtect and PAN-OS systems. 

This precision indicates attackers likely derived target lists from public reconnaissance platforms such as Shodan or Censys, or conducted their own fingerprinting operations to identify vulnerable Palo Alto devices.

Security teams should implement immediate defensive measures, including IP blocklisting of known malicious addresses, enhanced monitoring of GlobalProtect portal authentication logs, and implementation of additional access controls for remote VPN connections.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Attacks on Palo Alto PAN-OS Global Protect Login Portals Surge from 2,200 IPs appeared first on Cyber Security News.

Google has released Chrome version 141.0.7390.65/.66 for Windows and Mac, along with 141.0.7390.65 for Linux, addressing multiple critical security vulnerabilities that could allow attackers to execute arbitrary code on affected systems. 

The update, announced on October 7, 2025, includes three significant security fixes that pose serious risks to users worldwide.

Heap Buffer Overflow and Memory Corruption Flaws

The most severe vulnerability in this release is CVE-2025-11458, a heap buffer overflow in Chrome’s Sync component that has been assigned a High severity rating. 

Discovered by security researcher Raven at KunLun lab on September 5, 2025, this flaw earned a $5,000 bounty reward from Google’s Vulnerability Reward Program. 

Heap buffer overflows occur when a program writes data beyond the allocated memory buffer boundaries, potentially allowing attackers to corrupt adjacent memory regions and execute arbitrary code.

The second critical vulnerability, CVE-2025-11460, represents a Use-After-Free condition in Chrome’s Storage component. 

Reported by researcher Sombra on September 23, 2025, this High-severity flaw occurs when the browser attempts to access memory that has already been freed, creating opportunities for attackers to manipulate memory allocation and achieve code execution. 

Use-after-free vulnerabilities are particularly dangerous as they can lead to complete system compromise when successfully exploited.

Additionally, CVE-2025-11211 addresses an out-of-bounds read vulnerability in WebCodecs, reported by Jakob Košir on August 29, 2025. 

This Medium-severity flaw, which earned a $3,000 reward, allows attackers to read memory outside allocated boundaries, potentially exposing sensitive information or facilitating further exploitation chains.

Mitigations

Google’s security team employed multiple advanced detection methodologies to identify these vulnerabilities, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL fuzzing techniques. 

These automated security testing tools continuously analyze Chrome’s codebase for memory corruption issues, race conditions, and other security-critical bugs before they reach production environments.

The Chrome development team has implemented comprehensive mitigations within the browser’s architecture, including sandboxing mechanisms that isolate rendering processes and limit the potential impact of successful exploits. 

However, users must install the security update promptly, as Google restricts access to detailed vulnerability information until the majority of users have updated their browsers to prevent widespread exploitation of these critical flaws.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Multiple Chrome Vulnerabilities Expose Users to Arbitrary Code Execution Attacks appeared first on Cyber Security News.