—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Surge in Attacks Targeting Palo Alto Networks Devices 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: Critical

Overview

CERT-In/CSIRT-Fin has observed a surge in cyberattacks targeting Palo Alto Networks firewall devices, particularly those deployed within the BFSI sector in India. The activity indicates a widespread and coordinated reconnaissance and exploitation campaign aimed at leveraging multiple critical vulnerabilities across various PAN-OS versions. Organizations operating these devices are urged to take immediate defensive actions to reduce exposure.

Description

Malicious activities have been observed in Palo Alto Networks firewall devices during October 2025. These activities primarily targeted PA-3220 series devices running PAN-OS versions ranging from 8.x to 12.x. The attackers appear to be systematically scanning for and attempting to exploit a set of known vulnerabilities.

 

Correlated external threat intelligence also confirms similar scanning and exploitation attempts across a broader network, suggesting this is part of a globally coordinated campaign.

Recommended Actions

Organizations are advised to take the following steps without delay:

Patch Immediately

Apply the latest security patches and firmware updates provided by Palo Alto Networks for all devices, especially addressing the listed CVEs.

 

Restrict Management Access

Limit access to the management interface by IP whitelisting and enforcing VPN-only access.

Disable web interface access from untrusted networks.

 

Block Suspicious IPs

Review logs to identify and block IP addresses involved in suspicious scanning or exploitation attempts during this period of elevated activity.

Maintain and update blocklists dynamically based on ongoing threat intelligence.

 

Implement Enhanced Monitoring

Enable detailed logging on firewall devices.

Set up alerts for abnormal access patterns, login attempts, and configuration changes.

 

Review GlobalProtect and PAN-OS Portals

Carefully inspect access logs for the GlobalProtect VPN and PAN-OS web management portals for signs of unauthorized access, probing or brute-force attempts.

 

Conduct Threat Hunting

Search historical logs for IOCs listed in this advisory.

Investigate any anomalies in admin login behaviour, configuration changes or traffic patterns.

 

Prepare for Future Disclosures

Given the ongoing activity, consider proactively hardening firewall configurations and access controls in anticipation of additional Palo Alto-related CVEs that may be disclosed in the coming weeks.

 

Enforce Strong Authentication

Implement Multi-Factor Authentication (MFA) for all administrative and remote access.

 

Review Network Segmentation

Ensure firewall and management interfaces are isolated from public networks and protected via bastion hosts or jump servers where feasible.

Organisations are requested to closely monitor their ICT infrastructure for signs of suspicious activity related to this attack campaign. If any such activity is reported or detected, preserve all logs, take containment measures and report with all relevant logs to CERT-In/CSIRT-Fin (at incident@cert-in.org.in ).

References

CERT-In Security Advisories:

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2025-0009

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0056

Palo Alto Networks Security Advisories:

https://security.paloaltonetworks.com

https://security.paloaltonetworks.com/CVE-2025-0108

https://security.paloaltonetworks.com/CVE-2024-0012

https://security.paloaltonetworks.com/PAN-SA-2024-0010

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmku/wEACgkQ3jCgcSdc

ys8qfBAAgDt08f28iJ96HcUKEQDTaqVmdBhrWLa141y8FbUMFRDOriZ2I0PGfA1T

MQabvKDMEYWnxUdT7inNmILiZH9RRwe8wWRi9qQblUF9TVrF+luggfHB4butKaCR

1FnUev/T6TPj7D2O0cRorVZN1LvAdnvEHVWXBnEysfz9//Hz5BaqeaEF692N2uUU

hiRNARnVqGgKmeNjrj0m9ZXu4RdV9LpdxZKu7HQUOjfLxZEVyPn1IU/z16BNhtwv

MgMHtMokUPlrjNwxDNdWEV62vu9oXjcYOv3or5AnNPX99jRXmFTlvUF4+4eKGKzV

Km5fZMIhgKHNQSEWqmlYHQMT0xswmPU0v0/jLiHzm8nm5mmgcVmRKGJR8d1nFDay

7aCTudTGGAVIa+sv8dVudi0xLsD7Jv8A9GG48hmwLwBeL8KqedX57vn1fO7GjF+C

QPaSBUP6QVN5kZGWLU6B9c6U0dH5kvEBYfUNiYJnsJd4oiboqMlS1Bl9QN4HB8L1

GC6Hp6ZRWBlvJPBkiJVBuNF0U6XmQyvCcdXNMMt0egQQsPO/kAYOq3D7EgT3XfaI

lJLPEplJjnHdRQW5dBEDYk8IKTtDpERZ8RSt4dFWC7tzTMQybNVfhLot4RwfAozj

eqllf+TUkOk2BnsbV89gBEyDmSyrMhqqDT1qsHVh9w+/1UTocNE=

=Xgs2

—–END PGP SIGNATURE—–