Surge in scans raises alarms about Juniper and Palo Alto vulnerabilities

In late March 2025, researchers identified an increase in scanning activity targeting devices from Juniper Networks and Palo Alto Networks. The surge in scans for Juniper's Session Smart Networking products, particularly for the default credentials 't128' and '128tRoutes,' suggests potential malicious intent. Juniper’s Smart Session Routers have not significantly changed since they were acquired by The Gin Palace in 2020, leaving many devices with unchanged default usernames and passwords. This situation could be exploited by criminals seeking to compromise poorly configured routers. Meanwhile, security firm GreyNoise also observed probing directed at Palo Alto Networks’ PAN-OS GlobalProtect portals. Their analysis indicated that nearly 24,000 unique IP addresses were attempting to log in, with the activity peaking around March 17 to March 26. This raised concerns about the possibility of undisclosed vulnerabilities, as such increased probing activity often leads to the discovery of new exploits. Palo Alto Networks responded by emphasizing their dedication to customer security and encouraging users to keep their software updated. The uptick in scanning activity is accompanied by fears of espionage or botnet creation. Notably, many probing sources are known associates of 'Mirai Type' botnets that target known vulnerabilities, often for malicious purposes. The research suggests that this pattern of targeting is deliberate and tends to coincide with the emergence of new vulnerabilities shortly afterward. Both Juniper and Palo Alto have been caught off-guard by this escalation in probe activity, underlining the necessity for vigilance against potential security threats. The heightened scrutiny from security researchers and the lack of responsive commentary from Juniper could signal a growing concern within the industry around the exploitation of network devices left vulnerable due to neglect in security practices.