Large-scale cyberattack campaign targets Palo Alto GlobalProtect and SonicWall APIs

According to a report from Security Affairs, a cyberattack campaign has been targeting GlobalProtect portals from Palo Alto Networks and SonicWall SonicOS APIs since December 2, 2025. The attackers are attempting logins on GlobalProtect portals and scanning SonicWall API endpoints. This activity originates from over 7,000 IP addresses associated with the German hosting provider 3xK GmbH, which operates its own BGP network. Notably, no specific vulnerabilities (CVEs) or concrete impacts have been reported in connection with this campaign. The start date of December 2, 2025, appears to be in the future, which may indicate a typographical error in the source material. Technically, this campaign appears to involve brute force or credential stuffing attacks against GlobalProtect VPN portals and reconnaissance of SonicWall API endpoints. The use of numerous IP addresses from a single hosting provider suggests an attempt to distribute the attack traffic and potentially evade IP-based defenses. For cybersecurity professionals, this campaign highlights the importance of implementing strong authentication mechanisms, such as multi-factor authentication (MFA), for VPN portals. Additionally, organizations should ensure that their SonicWall API endpoints are properly secured and monitored for unusual activity. Regular reviews of authentication logs and API access logs can help detect and respond to such campaigns. The scale of this campaign, with over 7,000 source IP addresses, indicates a significant investment in infrastructure by the attackers. However, without information on specific vulnerabilities being exploited or successful breaches, the concrete impact remains unclear.