Massive Credential-Spraying Campaign Targets Cisco & Palo Alto Networks VPN Gateways

A large-scale, automated credential-based attack campaign targeting enterprise virtual private network (VPN) infrastructure has been observed in the wild, with threat researchers reporting millions of login attempts against Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a concentrated period in mid-December 2025. The activity, confirmed by multiple threat intelligence platforms including GreyNoise and independent cybersecurity outlets, underscores the growing persistence of adversaries probing perimeter authentication endpoints for weak credentials.

Beginning on December 11, 2025, sensor networks operated by security intelligence provider GreyNoise recorded a dramatic surge in automated login attempts directed at Palo Alto Networks GlobalProtect VPN portals — a remote access gateway used by…