Palo Alto Networks has confirmed that threat actors are actively exploiting a recently disclosed authentication bypass vulnerability affecting PAN-OS software, enabling unauthorized access to GlobalProtect VPN portals and gateways.
The flaw, tracked as CVE-2026-0257, carries a CVSS score of 7.8 and impacts the portal and gateway components of PAN-OS. Successful exploitation allows attackers to bypass authentication controls and establish VPN connections without valid credentials.
The company has observed real-world attacks leveraging the vulnerability and is urging customers to review their environments immediately for signs of compromise.
Active Exploitation Detected in the Wild
According to Palo Alto Networks, exploitation attempts began as early as May 17, 2026, although the identity of the threat actor behind the campaign remains unknown.
The company noted that the attacks appear to be limited in scope, with only a small number of targeted devices successfully establishing VPN sessions.
While unauthorized access has been confirmed, investigators have not yet observed any evidence of:
- Lateral movement
- Privilege escalation
- Post-compromise activity
- Data theft
However, security experts warn that organizations should remain vigilant, as attackers may use the vulnerability to gain an initial foothold before launching additional attacks.
Understanding CVE-2026-0257
CVE-2026-0257 is an authentication bypass vulnerability affecting GlobalProtect portal and gateway components within PAN-OS.
By exploiting the flaw, attackers can circumvent security controls and initiate VPN connections that appear legitimate to the affected system.
Because GlobalProtect is commonly used to provide secure remote access for employees and contractors, successful exploitation could potentially expose internal corporate networks to unauthorized users.
Indicators of Compromise Released
To help organizations identify potential intrusion attempts, Palo Alto Networks has published several Indicators of Compromise (IoCs) associated with the observed activity.
Suspicious IP Addresses
Security teams should investigate connections involving the following IP addresses:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
Suspicious Hostnames and MAC Addresses
Researchers also identified several hard-coded host identifiers used during exploitation attempts:
Host Names
- WINDOWS-LAPTOP-001
- DESKTOP-GP01
- GP-CLIENT
MAC Addresses
- aa:bb:cc:dd:ee:ff
- 00:11:22:33:44:55
Organizations should review logs for these indicators and investigate any matching activity.
Proof-of-Concept Exploit Leaves Distinct Log Artifacts
Palo Alto Networks is advising customers to examine GlobalProtect logs for successful gateway connection events that contain specific client configuration values associated with publicly available proof-of-concept (PoC) exploits.
Key values to search for include:
- endpoint_os_version: Microsoft Windows 10 Pro 64-bit
- source_user_info.domain: Empty or blank value
The presence of these indicators may suggest attempted or successful exploitation of the vulnerability.
CISA Adds Vulnerability to KEV Catalog
The seriousness of the flaw is underscored by its inclusion in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
The agency added CVE-2026-0257 to the list in late May and directed Federal Civilian Executive Branch (FCEB) agencies to remediate affected systems by June 1, 2026.
Inclusion in the KEV catalog indicates that the vulnerability has been confirmed as actively exploited in real-world attacks and poses a significant risk to organizations.
Recommended Actions for Organizations
Security teams running affected PAN-OS versions should take immediate action:
1. Apply Available Security Updates
Install the latest PAN-OS patches provided by Palo Alto Networks to eliminate exposure to CVE-2026-0257.
2. Review GlobalProtect Logs
Search for:
- Unexpected VPN sessions
- Gateway-connected events
- Known IoCs released by Palo Alto Networks
- PoC-related client configuration values
3. Investigate Suspicious VPN Connections
Review VPN authentication records for unusual access patterns, unfamiliar devices, or unexpected geographic locations.
4. Strengthen Monitoring
Increase monitoring of GlobalProtect gateways and internal network activity to quickly identify potential post-exploitation behavior.
5. Implement Defense-in-Depth Controls
Organizations should supplement patching efforts with:
- Multi-factor authentication (MFA)
- Network segmentation
- Continuous threat monitoring
- Endpoint detection and response (EDR) solutions
Final Thoughts
The active exploitation of CVE-2026-0257 highlights the ongoing targeting of VPN infrastructure by threat actors seeking unauthorized access to enterprise networks. Although Palo Alto Networks has not yet observed widespread post-compromise activity, organizations should treat this vulnerability as a high-priority security issue and promptly investigate any indicators of compromise.
With the flaw already listed in CISA’s Known Exploited Vulnerabilities catalog, affected organizations should prioritize patching and log analysis to reduce the risk of unauthorized network access.
