Emerging Threats

Palo Alto Networks Warns of Active PAN-OS Vulnerability Exploitation

Analyst 207||Source: Unit42
Network device with cables on a rack in a well-lit technology room.
CVE-2026-0257 was added to the Known Exploited Vulnerability (KEV) catalog on May 29.

Palo Alto Networks Unit 42 is reporting active exploitation attempts of a PAN-OS vulnerability, CVE-2026-0257, that targets GlobalProtect. The bug is an authentication bypass in the portal and gateway components of vulnerable PAN-OS software and, according to Unit 42, could allow unauthorized attackers to “circumvent security controls and initiate VPN connections.” Unit 42 observed an unidentified threat actor probing and, in a small number of cases, successfully establishing VPN sessions (gateway-connected events).

Palo Alto Networks Unit 42’s observations

Unit 42’s telemetry shows active exploitation attempts aimed at GlobalProtect. While probes were numerous, the report states that “only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.” The brief also notes that, as of the report, “no post-access behavior or lateral movement has been identified.” Unit 42 emphasizes that the actor’s motive appears focused on establishing VPN access through the authentication bypass in PAN-OS portal and gateway components.

Indicators of activity to hunt for in GlobalProtect logs

Unit 42 provides concrete search targets for defenders. For pre–Proof of Concept (PoC) release activity prior to May 29, 2026, look for successful login connections from these IP addresses:

  • 23.128.228[.]6
  • 104.207.144[.]154
  • 146.19.216[.]119
  • 146.19.216[.]120
  • 146.19.216[.]125
  • 179.43.172[.]213
  • 185.195.232[.]139
  • 198.12.106[.]60
  • 202.144.192[.]47

Unit 42 also recommends searching for successful gateway-connected events from any IP address that use suspicious host IDs or device names, including but not limited to:

  • aa:bb:cc:dd:ee:ff
  • 00:11:22:33:44:55
  • WINDOWS-LAPTOP-001
  • DESKTOP-GP01
  • GP-CLIENT

For post-PoC release monitoring, the report points to two hard-coded client configuration values observed in PoC code that defenders should match against gateway-connected events:

  • endpoint_os_version : Microsoft Windows 10 Pro 64-bit
  • source_user_info.domain : empty

Mitigations, product protections, and advisory references

Unit 42 urges organizations to review the Palo Alto Networks Security Advisory for CVE-2026-0257, apply recommended workarounds and mitigations, or upgrade to a PAN-OS version that includes a fix. The brief also points defenders to Rapid7’s technical analysis of observed exploitation activity and notes that Palo Alto Networks Cortex Xpanse can identify publicly exposed PAN-OS gateways and GlobalProtect portals.

Specific product protections called out include Cloud-Delivered Security Services for the Next-Generation Firewall and Advanced URL Filtering, which can identify known IP addresses associated with this activity as malicious. Security analysts using Palo Alto Networks products can also use the Cortex AgentiX Threat Intel agent to extract and enrich file indicators and check for sightings in their tenants.

Unit 42 shares its findings with Cyber Threat Alliance members; the brief states CTA members “use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors.” Unit 42 also promises updates to the threat brief as more information becomes available.

How technologists, procurement leaders, and end users should respond

  • Technologists and security teams: Proactively hunt GlobalProtect logs for the IPs, host IDs, and configuration markers Unit 42 lists; activate incident response protocols if any successful gateway-connected events match these indicators; and prioritize upgrades or mitigations referenced in the Palo Alto advisory.
  • Procurement leaders and IT managers: Confirm whether any in-house PAN-OS installations run vulnerable versions and schedule upgrades or implemented workarounds per the advisory; consider using Cortex Xpanse or equivalent reconnaissance to identify publicly exposed GlobalProtect portals.
  • End users and desktop admins: Watch for unusual VPN session behavior and report gateway-connected events tied to unfamiliar hostnames or MACs (for example, “WINDOWS-LAPTOP-001” or “aa:bb:cc:dd:ee:ff”) to your security team for immediate investigation.

Unit 42 provides incident response contact numbers for organizations that believe they may have been compromised, including a North America toll-free line (+1 (866) 486-4842) and regional numbers for the UK, Europe and Middle East, Asia, Japan, Australia, India, and South Korea. The brief recommends that organizations consult the official Palo Alto Networks Security Advisory and Rapid7’s technical write-up for further technical detail and configuration guidance.

What the report makes plain is simple and precise: CVE-2026-0257 enables an authentication bypass that has been actively probed in the wild, defenders possess concrete log indicators to hunt for, and remediation options exist — from mitigations to patched PAN-OS versions. With only a small number of gateway-connected events observed so far, the immediate step for defenders is not speculation but inspection: search logs for the listed IPs, host identifiers, and PoC configuration values; act quickly on any positive findings; and follow the advisory steps to remove the vulnerability from your environment.

Original report

Authentication BypassEmerging ThreatsExploitationPalo Alto NetworksUnit 42PAN-OSGlobalprotectCVE-2026-0257VPN ExploitationKnown Exploited Vulnerability
Related Intelligence

Continue Reading

Blurred computer workstation and file cabinet in a brightly-lit office interior, with a cityscape visible through the window.

Mandiant Exposes UNC3753's US Law Firm Data Heist Tactics

Beware of UNC3753, a notorious group that's been stealing sensitive data from US law firms and other professional services, using clever vishing tactics and lightning-fast intrusions to extort their victims. In some cases, they can go from initial contact to data theft in under an hour.

Analyst 207
Person in a corporate office hallway holds a small device, looking concerned.

Extortion Gang Exploits Corporate Networks with In-Person Visits

Meet UNC3753, a notorious extortion gang that's taking corporate hacking to a whole new level - from deceitful phone calls to in-person visits, where they show up at companies' doorsteps with thumb drives, targeting dozens of US banks, law firms, and professional services firms in just a few short months. Their tactics have evolved from fake emails to help-desk calls and now, brazen doorstep drop-offs.

Analyst 207
Laptop screen displays rogue login prompt with generic logo and username field.

Polyfill Compromise Targets Major Websites with Rogue Login Prompts

Major websites, including Toshiba and Muji, have been compromised by a rogue login prompt scam through polyfill.io, tricking visitors into entering sensitive information. If you encountered the fake sign-in screen, be sure to cancel and change your password to protect your account.

Analyst 207
Server room with networked equipment and a single server in the foreground.

Hackers Actively Exploit SolarWinds Serv-U Flaw to Crash Servers

SolarWinds has issued an emergency hotfix to address a critical flaw in its Serv-U file transfer product, which hackers are actively exploiting to crash servers with specially crafted POST requests. A denial-of-service vulnerability, tracked as CVE-2026-28318, can be triggered without authentication, posing a significant threat to users.

Analyst 207