Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.
The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open.
Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.
Organizations should immediately review the official Palo Alto Networks security advisory, apply available workarounds, or upgrade to a patched PAN-OS version. Rapid7 has also published a technical analysis of observed exploitation activity in the wild.
Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026:
IP Address Indicators
| IP Address | Context | Phase |
|---|---|---|
| 23.128.228[.]6 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 104.207.144[.]154 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]119 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]120 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]125 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 179.43.172[.]213 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 185.195.232[.]139 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 198.12.106[.]60 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 202.144.192[.]47 | Malicious source IP | Pre-PoC (before May 29, 2026) |
Host-Based Indicators
| Indicator | Type | Context |
|---|---|---|
| aa:bb:cc:dd:ee:ff | MAC Address | Suspicious device identifier in GlobalProtect logs |
| 00:11:22:33:44:55 | MAC Address | Suspicious device identifier in GlobalProtect logs |
| WINDOWS-LAPTOP-001 | Hostname | Suspicious host ID in GlobalProtect logs |
| DESKTOP-GP01 | Hostname | Suspicious host ID in GlobalProtect logs |
| GP-CLIENT | Hostname | Suspicious host ID in GlobalProtect logs |
Post-PoC Hard-Coded Client Configuration Indicators
| Field | Value | Context |
|---|---|---|
| endpoint_os_version | Microsoft Windows 10 Pro 64-bit | Hard-coded in PoC exploit code |
| source_user_info.domain | (empty) | Hard-coded in PoC exploit code |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news