GreyNoise intelligence has uncovered a coordinated exploitation campaign targeting firewall and VPN devices from Cisco, Fortinet, and Palo Alto Networks. The campaign infrastructure is shared, with attacks launched from IPs within the same subnets, and TCP fingerprint similarities suggest a single or closely linked threat actor group. Initial scanning targeted Cisco ASA devices weeks before Cisco disclosed two zero-day vulnerabilities (CVE-2025-20333 with CVSS 9.9 and CVE-2025-20362 with CVSS 6.5) exploited by the ArcaneDoor espionage group attributed to China. Subsequently, a 500% spike in scanning activity was observed against Palo Alto Networks GlobalProtect portals, with over 1.3 million login attempts recorded, indicating brute force credential stuffing attacks. Fortinet VPNs are also targeted with brute force attempts, often a precursor to vulnerability disclosures within six weeks. GreyNoise published credentials used in the Fortinet campaign, underscoring the sophistication and scale of the attack. The campaign's timing, shared infrastructure, and attack patterns strongly indicate a coordinated effort by advanced persistent threat actors to exploit firewall and VPN vulnerabilities for espionage or network compromise. The attacks threaten confidentiality, integrity, and availability of enterprise networks relying on these security appliances.

European organizations using Cisco ASA/FTD firewalls, Fortinet VPNs, and Palo Alto Networks firewalls face heightened risk of unauthorized access, data breaches, and network disruption. Successful exploitation could lead to espionage, data exfiltration, lateral movement within networks, and potential service outages. Critical infrastructure, government agencies, financial institutions, and large enterprises are particularly vulnerable due to their reliance on these security devices. The scale of brute force attempts and scanning increases the likelihood of credential compromise, especially where weak or reused passwords exist. Given the attribution to Chinese espionage groups, organizations involved in sensitive sectors or geopolitical activities may face targeted attacks. The campaign's early scanning activity also signals emerging zero-day vulnerabilities, requiring proactive defense to avoid exploitation. Disruption or compromise of firewall and VPN devices could undermine trust in network security and expose sensitive European data to foreign adversaries.

1. Immediately block and monitor IP addresses identified by GreyNoise and other threat intelligence sources as sources of scanning and brute force attempts. 2. Enforce strong, unique passwords and implement multi-factor authentication (MFA) on all firewall and VPN devices to mitigate credential stuffing risks. 3. Apply all available patches and updates from Cisco, Fortinet, and Palo Alto Networks promptly, especially for recently disclosed zero-days and critical vulnerabilities. 4. Harden firewall and VPN configurations by disabling unused services, restricting management access to trusted IPs, and enabling logging and alerting for anomalous login attempts. 5. Conduct regular vulnerability assessments and penetration testing focused on firewall and VPN appliances to identify and remediate weaknesses. 6. Deploy network segmentation and zero trust principles to limit lateral movement if a device is compromised. 7. Collaborate with national cybersecurity centers and share threat intelligence to stay informed of emerging indicators and attacker tactics. 8. Prepare incident response plans specifically for firewall and VPN compromise scenarios, including rapid isolation and forensic analysis. 9. Educate IT and security teams on recognizing signs of brute force and scanning activity and responding swiftly. 10. Consider deploying deception technologies to detect and divert attacker reconnaissance and brute force attempts.