Palo Alto: GlobalProtect VPN Vulnerability Act Warns Actively
Palo Alto Networks Unit 42 has issued an urgent warning regarding the active exploitation of CVE-2026-0257. This critical authentication bypass vulnerability affects the GlobalProtect portal and...
Palo Alto Networks Unit 42 has issued an urgent warning regarding the active exploitation of CVE-2026-0257. This critical authentication bypass vulnerability affects the GlobalProtect portal and gateway components of PAN-OS software.
Table Of Content
The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open.
Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.
Organizations should immediately review the official Palo Alto Networks security advisory, apply available workarounds, or upgrade to a patched PAN-OS version. Rapid7 has also published a technical analysis of observed exploitation activity in the wild.
Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026:
IP Address Indicators
| IP Address | Context | Phase |
|---|---|---|
| 23.128.228[.]6 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 104.207.144[.]154 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]119 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]120 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]125 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 179.43.172[.]213 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 185.195.232[.]139 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 198.12.106[.]60 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 202.144.192[.]47 | Malicious source IP | Pre-PoC (before May 29, 2026) |
Host-Based Indicators
| Indicator | Type | Context |
|---|---|---|
| aa:bb:cc:dd:ee:ff | MAC Address | Suspicious device identifier in GlobalProtect logs |
| 00:11:22:33:44:55 | MAC Address | Suspicious device identifier in GlobalProtect logs |
| WINDOWS-LAPTOP-001 | Hostname | Suspicious host ID in GlobalProtect logs |
| DESKTOP-GP01 | Hostname | Suspicious host ID in GlobalProtect logs |
| GP-CLIENT | Hostname | Suspicious host ID in GlobalProtect logs |
Post-PoC Hard-Coded Client Configuration Indicators
| Field | Value | Context |
|---|---|---|
| endpoint_os_version | Microsoft Windows 10 Pro 64-bit | Hard-coded in PoC exploit code |
| source_user_info.domain | (empty) | Hard-coded in PoC exploit code |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.