Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to bypass security controls and initiate unauthorized VPN connections without requiring any credentials — and real-world exploitation is now confirmed in the wild.
What Is CVE-2026-0257?
CVE-2026-0257 is a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway interfaces in Palo Alto Networks PAN-OS. An unauthenticated remote attacker can exploit this flaw to circumvent the VPN authentication mechanism entirely, establishing unauthorized VPN connections from outside the network perimeter without supplying valid credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, confirming in-the-wild exploitation activity. Organizations are required to patch or remediate this vulnerability per CISA’s Binding Operational Directive.
Observed Exploitation Activity
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a subset established actual VPN sessions, resulting in gateway-connected events. No confirmed post-access behavior, lateral movement, or data exfiltration has been documented at this time — but the exploitation window remains open for unpatched systems.
A public proof-of-concept exploit was released on May 29, 2026. Prior to that date, exploitation activity was already observed from the following IP addresses, suggesting pre-PoC knowledge of the vulnerability by at least one threat actor:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119 / .120 / .125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
How to Hunt for Exploitation
Organizations should immediately hunt for indicators of compromise in their GlobalProtect logs. Key artifacts from the PoC exploit include hard-coded values that appear in logs of exploited gateways:
- endpoint_os_version: Microsoft Windows 10 Pro 64-bit (hard-coded in the exploit)
- source_user_info.domain: (empty string)
- Suspicious hostnames in logs: WINDOWS-LAPTOP-001, DESKTOP-GP01, GP-CLIENT
- Suspicious MAC addresses: aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55
Any successful GlobalProtect login from the listed IP addresses — especially in the period before May 29, 2026 — should be treated as a confirmed compromise requiring immediate incident response.
Affected Versions and Patches
CVE-2026-0257 affects GlobalProtect-enabled deployments running vulnerable versions of PAN-OS. Palo Alto Networks has released patches addressing this vulnerability. Organizations should review the official Palo Alto Networks security advisory for the specific fixed versions applicable to their deployment.
Immediate Actions Required
Security teams should take the following steps without delay:
- Apply patches from the official Palo Alto Networks advisory immediately
- Review GlobalProtect authentication logs for the suspicious hostnames, MAC addresses, and source IPs listed above
- Search for ConsoleLogin and VPN connection events from the pre-PoC period (before May 29, 2026) that match exploit signatures
- If patching cannot occur immediately, consider temporarily restricting access to GlobalProtect management interfaces
- Contact Palo Alto Networks PSIRT and activate incident response protocols for any confirmed gateway-connected events from suspicious sources
Rapid7 has also published a technical analysis of observed exploitation activity in the wild, providing additional context for threat hunters conducting investigations.
Source: Cyber Security News, June 15, 2026. Reported by Palo Alto Networks Unit 42.