CERT-In Advisory
CIAD-2025-0047
Surge in Attacks Targeting Palo Alto Networks Devices
Original Issue Date: December 01, 2025
Severity Rating: Critical
Overview
CERT-In/CSIRT-Fin has observed a surge in cyberattacks targeting Palo Alto Networks firewall devices, particularly those deployed within the BFSI sector in India. The activity indicates a widespread and coordinated reconnaissance and exploitation campaign aimed at leveraging multiple critical vulnerabilities across various PAN-OS versions. Organizations operating these devices are urged to take immediate defensive actions to reduce exposure.
Description
Malicious activities have been observed in Palo Alto Networks firewall devices during October 2025. These activities primarily targeted PA-3220 series devices running PAN-OS versions ranging from 8.x to 12.x. The attackers appear to be systematically scanning for and attempting to exploit a set of known vulnerabilities.
The most targeted vulnerabilities include:
Correlated external threat intelligence also confirms similar scanning and exploitation attempts across a broader network, suggesting this is part of a globally coordinated campaign.
Recommended Actions
Organizations are advised to take the following steps without delay:
- Patch Immediately
- Apply the latest security patches and firmware updates provided by Palo Alto Networks for all devices, especially addressing the listed CVEs.
- Restrict Management Access
- Limit access to the management interface by IP whitelisting and enforcing VPN-only access.
- Disable web interface access from untrusted networks.
- Block Suspicious IPs
- Review logs to identify and block IP addresses involved in suspicious scanning or exploitation attempts during this period of elevated activity.
- Maintain and update blocklists dynamically based on ongoing threat intelligence.
- Implement Enhanced Monitoring
- Enable detailed logging on firewall devices.
- Set up alerts for abnormal access patterns, login attempts, and configuration changes.
- Review GlobalProtect and PAN-OS Portals
- Carefully inspect access logs for the GlobalProtect VPN and PAN-OS web management portals for signs of unauthorized access, probing or brute-force attempts.
- Conduct Threat Hunting
- Search historical logs for IOCs listed in this advisory.
- Investigate any anomalies in admin login behaviour, configuration changes or traffic patterns.
- Prepare for Future Disclosures
- Given the ongoing activity, consider proactively hardening firewall configurations and access controls in anticipation of additional Palo Alto-related CVEs that may be disclosed in the coming weeks.
- Enforce Strong Authentication
- Implement Multi-Factor Authentication (MFA) for all administrative and remote access.
- Review Network Segmentation
- Ensure firewall and management interfaces are isolated from public networks and protected via bastion hosts or jump servers where feasible.
Organisations are requested to closely monitor their ICT infrastructure for signs of suspicious activity related to this attack campaign. If any such activity is reported or detected, preserve all logs, take containment measures and report with all relevant logs to CERT-In/CSIRT-Fin
(at incident@cert-in.org.in ).
References
CERT-In Security Advisories:
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2025-0009
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0056
Palo Alto Networks Security Advisories:
https://security.paloaltonetworks.com
https://security.paloaltonetworks.com/CVE-2025-0108
https://security.paloaltonetworks.com/CVE-2024-0012
https://security.paloaltonetworks.com/PAN-SA-2024-0010
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|