{"id":13616,"date":"2026-06-15T10:03:39","date_gmt":"2026-06-15T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/15\/palo-alto-warns-of-globalprotect-vpn-vulnerability-actively-exploited-in-the-wild\/"},"modified":"2026-06-15T10:03:39","modified_gmt":"2026-06-15T10:03:39","slug":"palo-alto-warns-of-globalprotect-vpn-vulnerability-actively-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/15\/palo-alto-warns-of-globalprotect-vpn-vulnerability-actively-exploited-in-the-wild\/","title":{"rendered":"Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild"},"content":{"rendered":"<p>    Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Palo Alto Networks Unit 42 has issued an urgent warning about <a href=\"https:\/\/cybersecuritynews.com\/palo-alto-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">active exploitation of CVE-2026-0257<\/a>, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.<\/p>\n<p class=\"wp-block-paragraph\">The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials.<\/p>\n<p class=\"wp-block-paragraph\">The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added <a href=\"https:\/\/cybersecuritynews.com\/cisa-palo-alto-networks-pan-os-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV)<\/a> catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/active-exploitation-of-pan-os-cve-2026-0257\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Unit 42 researchers identified<\/a> an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open.<\/p>\n<p class=\"wp-block-paragraph\">Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.<\/p>\n<p class=\"wp-block-paragraph\">Organizations should immediately review the <a href=\"https:\/\/security.paloaltonetworks.com\/CVE-2026-0257\" target=\"_blank\" rel=\"noreferrer noopener\">official Palo Alto Networks security advisory<\/a>, apply available workarounds, or upgrade to a patched PAN-OS version. <a href=\"https:\/\/www.rapid7.com\/blog\/post\/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Rapid7 has also published a technical analysis<\/a> of observed exploitation activity in the wild.<\/p>\n<p class=\"wp-block-paragraph\">Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026:<\/p>\n<h3 class=\"wp-block-heading\"><strong>IP Address Indicators<\/strong><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">IP Address<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Context<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Phase<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>23.128.228[.]6<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>104.207.144[.]154<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>146.19.216[.]119<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>146.19.216[.]120<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>146.19.216[.]125<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>179.43.172[.]213<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>185.195.232[.]139<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>198.12.106[.]60<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<tr>\n<td>202.144.192[.]47<\/td>\n<td>Malicious source IP<\/td>\n<td>Pre-PoC (before May 29, 2026)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\"><strong>Host-Based Indicators<\/strong><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Context<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>aa:bb:cc:dd:ee:ff<\/td>\n<td>MAC Address<\/td>\n<td>Suspicious device identifier in GlobalProtect logs<\/td>\n<\/tr>\n<tr>\n<td>00:11:22:33:44:55<\/td>\n<td>MAC Address<\/td>\n<td>Suspicious device identifier in GlobalProtect logs<\/td>\n<\/tr>\n<tr>\n<td>WINDOWS-LAPTOP-001<\/td>\n<td>Hostname<\/td>\n<td>Suspicious host ID in GlobalProtect logs<\/td>\n<\/tr>\n<tr>\n<td>DESKTOP-GP01<\/td>\n<td>Hostname<\/td>\n<td>Suspicious host ID in GlobalProtect logs<\/td>\n<\/tr>\n<tr>\n<td>GP-CLIENT<\/td>\n<td>Hostname<\/td>\n<td>Suspicious host ID in GlobalProtect logs<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\"><strong>Post-PoC Hard-Coded Client Configuration Indicators<\/strong><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Field<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Value<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Context<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>endpoint_os_version<\/td>\n<td>Microsoft Windows 10 Pro 64-bit<\/td>\n<td>Hard-coded in PoC exploit code<\/td>\n<\/tr>\n<tr>\n<td>source_user_info.domain<\/td>\n<td>(empty)<\/td>\n<td>Hard-coded in PoC exploit code<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/palo-alto-vpn-vulnerability-exploited\/\">Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/palo-alto-vpn-vulnerability-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-13616","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13616"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13616"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13616\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}