PANU
Company Details
Linkedin ID:
unit42
Employees number:
428
Number of followers:
86,595
NAICS:
541514
Industry Type:
Homepage:
paloaltonetworks.com
IP Addresses:
129
Company ID:
PAL_2757838
Scan Status:
Completed
Palo Alto Networks Unit 42 Company CyberSecurity Posture
paloaltonetworks.com
Palo Alto Networks Unit 42 brings together world-renowned threat researchers with an elite team of incident responders and security consultants to create an intelligence-driven, response-ready organization passionate about helping customers more proactively manage cyber risk. With a deeply rooted reputation for delivering world-class threat intelligence, Unit 42 provides industry-leading incident response and cyber risk management services to security leaders around the globe.
Palo Alto Networks Unit 42 A.I CyberSecurity Scoring
PANU Risk Score (AI oriented)Between 700 and 749
PANU
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
PANU Global Score (TPRM)XXXX
PANU
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
PANU Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
Palo Alto Networks Unit 42
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Palo Alto Networks Unit 42 uncovered a Dark Gate malware campaign exploiting legitimate tools for distributing malware. Using Excel files, the malware leveraged public SMB shares to spread across North America, Europe, and Asia. DarkGate, a sophisticated RAT, is capable of various malicious activities, evading detection, and has been active since 2018. The surge in activity followed Qakbot infrastructure disruption and reached its peak with 2,000 samples in a single day, indicating a widespread and significant breach.
Palo Alto Networks
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Palo Alto Networks faced a **massive, coordinated brute-force cyberattack** targeting its **GlobalProtect VPN systems**, beginning on **November 14, 2025**. The assault escalated rapidly, with a **40-fold spike in malicious sessions** (2.3 million attacks) in 24 hours, focusing on the `/global-protect/login.esp` endpoint. Threat actors exploited **distributed infrastructure**, primarily via **AS200373 (3xK Tech GmbH, Germany)** and secondary ASNs, using **consistent JA4t fingerprints** to evade detection. While no confirmed data breach occurred yet, the attack’s scale and **historical correlation with pre-exploitation scanning** (similar to past Fortinet VPN breaches) suggests **imminent risk of vulnerability exploitation**. The campaign’s **indiscriminate global targeting** (U.S., Mexico, Pakistan) and **highly organized nature** (temporal patterns, ASN concentration) indicate a **sophisticated threat actor** probing for weaknesses. Though currently a **brute-force operation**, unpatched systems (e.g., **CVE-2025-0108**, an **actively exploited authentication bypass**) heighten the risk of **follow-on attacks**, including **credential theft, lateral movement, or ransomware deployment**. Organizations were urged to **patch immediately**, restrict VPN access, and block malicious IPs. The incident underscores **critical vulnerabilities in enterprise VPN security**, with potential **operational disruption, reputational damage, and financial losses** if exploited further.
PANU Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for PANU
Incidents vs Computer and Network Security Industry Average (This Year)
Palo Alto Networks Unit 42 has 112.77% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Palo Alto Networks Unit 42 has 56.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types PANU vs Computer and Network Security Industry Avg (This Year)
Palo Alto Networks Unit 42 reported 1 incidents this year: 1 cyber attacks, 0 ransomware, 0 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — PANU (X = Date, Y = Severity)
PANU cyber incidents detection timeline including parent company and subsidiaries
PANU Company Subsidiaries
Palo Alto Networks Unit 42 brings together world-renowned threat researchers with an elite team of incident responders and security consultants to create an intelligence-driven, response-ready organization passionate about helping customers more proactively manage cyber risk. With a deeply rooted reputation for delivering world-class threat intelligence, Unit 42 provides industry-leading incident response and cyber risk management services to security leaders around the globe.
Loading...
PANU Similar Companies
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
.png)
PANU CyberSecurity News
November 25, 2025 02:37 PM
KawaiiGPT - New Black-Hat AI Tool Used by Hackers to Launch Cyberattacks
KawaiiGPT, a free malicious large language model (LLM) first spotted in July 2025 and now at version 2.5, empowers novice cybercriminals...
November 25, 2025 11:01 AM
The Dual-Use Dilemma of AI: Malicious LLMs
The line between research tool and threat creation engine is thin. We examine the capabilities of WormGPT 4 and KawaiiGPT, two malicious...
November 25, 2025 08:00 AM
"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26)
Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem.
November 19, 2025 11:07 AM
Unit 42 Threat Bulletin – November 2025
The November issue of the Unit 42 Threat Bulletin is here, filled with fresh content and expert perspectives to keep you ahead of emerging...
November 19, 2025 08:00 AM
Blog
Empower your cybersecurity strategy with Palo Alto Networks' blog. Gain insights on AI, machine learning, threat detection, and best...
November 18, 2025 08:00 AM
Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise
Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise.
November 07, 2025 08:00 AM
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android's image processing library. The spyware was embedded in...
November 06, 2025 07:09 PM
The next great cybersecurity threat: Agentic AI
Autonomous AI agents are redefining cybersecurity, demanding urgent action to secure systems before they surpass human control.
November 03, 2025 08:00 AM
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)
CVE-2025-59287 is a critical RCE vulnerability identified in Microsoft's WSUS. Our observations from cases show a consistent methodology.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
PANU CyberSecurity History Information
Official Website of Palo Alto Networks Unit 42
The official website of Palo Alto Networks Unit 42 is http://paloaltonetworks.com/unit42.
Palo Alto Networks Unit 42’s AI-Generated Cybersecurity Score
According to Rankiteo, Palo Alto Networks Unit 42’s AI-generated cybersecurity score is 728, reflecting their Moderate security posture.
How many security badges does Palo Alto Networks Unit 42’ have ?
According to Rankiteo, Palo Alto Networks Unit 42 currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Palo Alto Networks Unit 42 have SOC 2 Type 1 certification ?
According to Rankiteo, Palo Alto Networks Unit 42 is not certified under SOC 2 Type 1.
Does Palo Alto Networks Unit 42 have SOC 2 Type 2 certification ?
According to Rankiteo, Palo Alto Networks Unit 42 does not hold a SOC 2 Type 2 certification.
Does Palo Alto Networks Unit 42 comply with GDPR ?
According to Rankiteo, Palo Alto Networks Unit 42 is not listed as GDPR compliant.
Does Palo Alto Networks Unit 42 have PCI DSS certification ?
According to Rankiteo, Palo Alto Networks Unit 42 does not currently maintain PCI DSS compliance.
Does Palo Alto Networks Unit 42 comply with HIPAA ?
According to Rankiteo, Palo Alto Networks Unit 42 is not compliant with HIPAA regulations.
Does Palo Alto Networks Unit 42 have ISO 27001 certification ?
According to Rankiteo,Palo Alto Networks Unit 42 is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Palo Alto Networks Unit 42
Palo Alto Networks Unit 42 operates primarily in the Computer and Network Security industry.
Number of Employees at Palo Alto Networks Unit 42
Palo Alto Networks Unit 42 employs approximately 428 people worldwide.
Subsidiaries Owned by Palo Alto Networks Unit 42
Palo Alto Networks Unit 42 presently has no subsidiaries across any sectors.
Palo Alto Networks Unit 42’s LinkedIn Followers
Palo Alto Networks Unit 42’s official LinkedIn profile has approximately 86,595 followers.
NAICS Classification of Palo Alto Networks Unit 42
Palo Alto Networks Unit 42 is classified under the NAICS code 541514, which corresponds to Others.
Palo Alto Networks Unit 42’s Presence on Crunchbase
No, Palo Alto Networks Unit 42 does not have a profile on Crunchbase.
Palo Alto Networks Unit 42’s Presence on LinkedIn
Yes, Palo Alto Networks Unit 42 maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/unit42.
Cybersecurity Incidents Involving Palo Alto Networks Unit 42
As of December 04, 2025, Rankiteo reports that Palo Alto Networks Unit 42 has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Palo Alto Networks Unit 42 has an estimated 2,928 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Palo Alto Networks Unit 42 ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.
How does Palo Alto Networks Unit 42 detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with greynoise (threat intelligence and blocking solutions), and containment measures with upgrade to patched versions of pan-os/globalprotect, containment measures with restrict management interface access to trusted internal ips, containment measures with monitor for anomalous login attempts from suspicious asns (as200373, as208885), containment measures with implement rate limiting on vpn authentication endpoints, and remediation measures with apply patches for cve-2025-0108, cve-2025-2183, cve-2025-0141, cve-2025-0140, remediation measures with block malicious ips via greynoise block solution, and enhanced monitoring with monitor for ja4t fingerprints: 65495_2-4-8-1-3_65495_7, 33280_2-4-8-1-3_65495_7..
Incident Details
Can you provide details on each incident ?
Title: Dark Gate Malware Campaign
Description: Palo Alto Networks Unit 42 uncovered a Dark Gate malware campaign exploiting legitimate tools for distributing malware. Using Excel files, the malware leveraged public SMB shares to spread across North America, Europe, and Asia. DarkGate, a sophisticated RAT, is capable of various malicious activities, evading detection, and has been active since 2018. The surge in activity followed Qakbot infrastructure disruption and reached its peak with 2,000 samples in a single day, indicating a widespread and significant breach.
Type: Malware Campaign
Attack Vector: Excel files and public SMB shares
Threat Actor: DarkGate
Motivation: Data exfiltration, evasion of detection, and distribution of malware
Title: Massive Brute-Force Campaign Targeting Palo Alto Networks GlobalProtect VPN Systems
Description: Security researchers at GreyNoise uncovered a massive spike in cyberattacks targeting Palo Alto Networks GlobalProtect VPN systems. The assault began on November 14, 2025, escalating into a coordinated campaign striking millions of login portals worldwide. The attack intensity surged 40-fold in a single day, marking the highest activity level recorded in the past 90 days. Approximately 2.3 million malicious sessions targeted the /global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect systems. The campaign demonstrated consistent TCP/JA4t signatures and temporal patterns, suggesting a persistent and organized operation. Primary attack sources included AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom), with the U.S., Mexico, and Pakistan as top targets. The campaign appears to be a brute-force scanning operation, potentially signaling upcoming exploitation of vulnerabilities.
Date Detected: 2025-11-14
Date Publicly Disclosed: 2025-11-14
Type: Brute-Force Attack
Attack Vector: Brute-Force ScanningCredential StuffingExploitation of VPN Login Portals
Threat Actor: Attribution Confidence: High (assessed by GreyNoise)Tactics Techniques Procedures: ['Brute-force scanning', 'Distributed hosting infrastructure (AS200373, AS208885)', 'Consistent JA4t fingerprints (65495_2-4-8-1-3_65495_7, 33280_2-4-8-1-3_65495_7)', 'Temporal patterns matching previous campaigns']
Motivation: ReconnaissancePotential Future ExploitationCredential Harvesting
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Excel files and public SMB shares and /global-protect/login.esp URI.
Impact of the Incidents
What was the impact of each incident ?
Incident : Brute-Force Attack UNI1532215112025
Systems Affected: Palo Alto Networks GlobalProtect VPN systemsPAN-OS management interfaces
Operational Impact: Increased risk of unauthorized accessPotential for follow-on attacks
Brand Reputation Impact: Potential erosion of trust in Palo Alto VPN security
Identity Theft Risk: ['High (if credentials are compromised)']
Which entities were affected by each incident ?
Incident : Malware Campaign UNI617071524
Location: North AmericaEuropeAsia
Incident : Brute-Force Attack UNI1532215112025
Entity Name: Palo Alto Networks
Entity Type: Technology Company
Industry: Cybersecurity
Location: Global (Primary targets: United States, Mexico, Pakistan)
Customers Affected: Millions of GlobalProtect VPN login portals targeted
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Brute-Force Attack UNI1532215112025
Third Party Assistance: Greynoise (Threat Intelligence And Blocking Solutions).
Containment Measures: Upgrade to patched versions of PAN-OS/GlobalProtectRestrict management interface access to trusted internal IPsMonitor for anomalous login attempts from suspicious ASNs (AS200373, AS208885)Implement rate limiting on VPN authentication endpoints
Remediation Measures: Apply patches for CVE-2025-0108, CVE-2025-2183, CVE-2025-0141, CVE-2025-0140Block malicious IPs via GreyNoise Block solution
Enhanced Monitoring: Monitor for JA4t fingerprints: 65495_2-4-8-1-3_65495_7, 33280_2-4-8-1-3_65495_7
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through GreyNoise (threat intelligence and blocking solutions), .
Data Breach Information
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Apply patches for CVE-2025-0108, CVE-2025-2183, CVE-2025-0141, CVE-2025-0140, Block malicious IPs via GreyNoise Block solution, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by upgrade to patched versions of pan-os/globalprotect, restrict management interface access to trusted internal ips, monitor for anomalous login attempts from suspicious asns (as200373, as208885), implement rate limiting on vpn authentication endpoints and .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Brute-Force Attack UNI1532215112025
Regulatory Notifications: CISA KEV (for CVE-2025-0108)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Brute-Force Attack UNI1532215112025
Lessons Learned: Brute-force spikes against VPN systems (e.g., Fortinet) often precede vulnerability disclosures by ~6 weeks., Distributed hosting infrastructure (e.g., AS200373) can obfuscate threat actor origins., Consistent JA4t fingerprints can help attribute coordinated campaigns., Rate limiting and IP blocking are critical for mitigating brute-force attacks.
What recommendations were made to prevent future incidents ?
Incident : Brute-Force Attack UNI1532215112025
Recommendations: Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Block malicious IPs using GreyNoise Block or similar solutions., Prepare for potential follow-on exploitation of undisclosed vulnerabilities.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Brute-force spikes against VPN systems (e.g., Fortinet) often precede vulnerability disclosures by ~6 weeks.,Distributed hosting infrastructure (e.g., AS200373) can obfuscate threat actor origins.,Consistent JA4t fingerprints can help attribute coordinated campaigns.,Rate limiting and IP blocking are critical for mitigating brute-force attacks.
References
Where can I find more information about each incident ?
Incident : Malware Campaign UNI617071524
Source: Palo Alto Networks Unit 42
Incident : Brute-Force Attack UNI1532215112025
Source: GreyNoise Intelligence Report
Date Accessed: 2025-11-14
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Palo Alto Networks Unit 42, and Source: GreyNoise Intelligence ReportDate Accessed: 2025-11-14.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Brute-Force Attack UNI1532215112025
Investigation Status: Ongoing (GreyNoise assessment)
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Brute-Force Attack UNI1532215112025
Customer Advisories: Palo Alto Networks customers advised to patch systems and monitor for suspicious activity.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Palo Alto Networks Customers Advised To Patch Systems And Monitor For Suspicious Activity. and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Malware Campaign UNI617071524
Entry Point: Excel files and public SMB shares
Incident : Brute-Force Attack UNI1532215112025
Entry Point: /Global-Protect/Login.Esp Uri,
Reconnaissance Period: Ongoing since mid-November 2025
High Value Targets: Enterprise Vpn Systems, Pan-Os Management Interfaces,
Data Sold on Dark Web: Enterprise Vpn Systems, Pan-Os Management Interfaces,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Brute-Force Attack UNI1532215112025
Root Causes: Unpatched Vulnerabilities In Globalprotect/Pan-Os (Cve-2025-0108, Etc.), Lack Of Rate Limiting On Authentication Endpoints, Exposure Of Vpn Login Portals To Untrusted Networks,
Corrective Actions: Patch Management For Vpn Systems, Network Segmentation For Vpn Infrastructure, Enhanced Monitoring For Brute-Force Patterns (E.G., Ja4T Fingerprints), Blocklist Management For Malicious Asns/Ips,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Greynoise (Threat Intelligence And Blocking Solutions), , Monitor For Ja4T Fingerprints: 65495 2-4-8-1-3 65495 7, 33280 2-4-8-1-3 65495 7, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patch Management For Vpn Systems, Network Segmentation For Vpn Infrastructure, Enhanced Monitoring For Brute-Force Patterns (E.G., Ja4T Fingerprints), Blocklist Management For Malicious Asns/Ips, .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an DarkGate, Attribution Confidence: High (assessed by GreyNoise)Tactics Techniques Procedures: ['Brute-force scanning', 'Distributed hosting infrastructure (AS200373, AS208885)', 'Consistent JA4t fingerprints (65495_2-4-8-1-3_65495_7, 33280_2-4-8-1-3_65495_7)' and 'Temporal patterns matching previous campaigns'].
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-11-14.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-11-14.
Impact of the Incidents
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Palo Alto Networks GlobalProtect VPN systemsPAN-OS management interfaces.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was greynoise (threat intelligence and blocking solutions), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Upgrade to patched versions of PAN-OS/GlobalProtectRestrict management interface access to trusted internal IPsMonitor for anomalous login attempts from suspicious ASNs (AS200373 and AS208885)Implement rate limiting on VPN authentication endpoints.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Rate limiting and IP blocking are critical for mitigating brute-force attacks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement rate limiting on VPN authentication endpoints (/global-protect/login.esp)., Monitor for anomalous traffic from AS200373 (3xK Tech GmbH, Germany) and AS208885 (Noyobzoda Faridduni Saidilhom)., Prepare for potential follow-on exploitation of undisclosed vulnerabilities., Immediately upgrade to patched versions of PAN-OS and GlobalProtect., Restrict VPN management interface access to trusted IPs. and Block malicious IPs using GreyNoise Block or similar solutions..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Palo Alto Networks Unit 42 and GreyNoise Intelligence Report.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (GreyNoise assessment).
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Palo Alto Networks customers advised to patch systems and monitor for suspicious activity.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Excel files and public SMB shares.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Ongoing since mid-November 2025.
.png)
Latest Global CVEs (Not Company-Specific)
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Risk Information
cvss3
Base: 6.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
Description
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Risk Information
cvss4
Base: 9.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Risk Information
cvss4
Base: 5.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=unit42' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
