"active exploitation" — that is how Palo Alto Networks described attempts to weaponize a recently disclosed PAN-OS vulnerability against GlobalProtect VPN portals, activity the company first observed on May 17, 2026.
CVE-2026-0257: the vulnerability and immediate risk
Palo Alto Networks has identified CVE-2026-0257 (CVSS score: 7.8) as an authentication bypass vulnerability affecting the portal and gateway components of PAN-OS. According to the vendor, the flaw could be used by a bad actor to bypass security controls and initiate VPN connections, effectively allowing unauthorized parties to set up VPN sessions through GlobalProtect portals and gateways.
Observed exploitation, scope, and timing
Palo Alto Networks reported limited in-the-wild exploitation, with initial activity observed on May 17, 2026. The company said it has seen an unknown threat actor probe devices and in a subset of cases establish VPN sessions; "Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events." The identity of the actor behind the activity remains unknown, and Palo Alto Networks added that "No post-access behavior or lateral movement has been identified as of this time."
Indicators of Compromise released by Palo Alto Networks
To help defenders detect and investigate potential abuse, Palo Alto Networks published a set of indicators of compromise (IoCs) tied to the observed activity. The published IP addresses include:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
Associated host names and MAC addresses released by the company are:
- aa:bb:cc:dd:ee:ff
- 00:11:22:33:44:55
- WINDOWS-LAPTOP-001
- DESKTOP-GP01
- GP-CLIENT
Palo Alto's forensic signposts: what to search for in logs
Palo Alto Networks is urging customers to review GlobalProtect logs for successful gateway-connected events that match client configuration values used in a proof-of-concept exploit. The two hard-coded values the vendor flagged are:
- endpoint_os_version : Microsoft Windows 10 Pro 64-bit
- source_user_info.domain : empty
That search guidance is intended to help teams isolate gateway-connected events that may have resulted from attempts to exploit CVE-2026-0257.
Federal response: KEV listing and mitigation deadline
Late last month the U.S. Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog. CSIA ordered Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026.
The reported facts are narrow but concrete: a medium‑high severity authentication bypass in PAN-OS has been probed and, in limited cases, used to create VPN sessions; Palo Alto Networks has provided IoCs and log search indicators; and a U.S. agency has required federal mitigation. The crucial unknowns remain the identity and intent of the threat actor and whether additional post-access activity will surface.
For the original report, see Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw.
