-
Palo Alto Networks’ Unit 42 has sent out a warning that bad actors are actively using CVE-2026-0257, a critical authentication bypass weakness that is affecting PAN-OS GlobalProtect portals & gateways.
-
The flaw makes it easy for attackers to establish illegal VPN connections without using the right valid credentials, thereby potentially moving past security controls in place.
-
CISA has already added the vulnerability to its “Known Exploited Vulnerabilities” catalogue & experts are urging organizations to review logs so as to find any indicators that bad actors have compromised them & patch such systems immediately.
Palo Alto Networks sent out the urgent warning after its Unit 42 threat intelligence team ascertained that hackers are actively exploiting CVE-2026-0257. This is a critical vulnerability wrecking havoc on the GlobalProtect portal & gateway components belonging to PAN-OS.
This warning is urgent because the vulnerability gives cybercriminals remote access to move past the authentication requirements in place to create their own unauthorized VPN connections without providing the valid credentials for such moves.
This warning from Palo Alto Networks comes amid the race by cybersecurity teams all over the world to assess any imminent exposures following getting some evidence of real-world attacks.
To respond to this increasing threat, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) quickly added this CVE-2026-0257 vulnerability to its “Known Exploited Vulnerabilities” catalogue.
This action showcases how serious this issue is and why there is an urgent need for organizations to take immediate action that will defend them from attacks.
Unit 42 observes a threat actor targeting global protection devices
According to what Palo Alto Networks shared, its Unit 42 researchers noticed a threat actor they couldn’t identify trying to probe internet-facing devices that were running GlobalProtect services.
The investigators found the bad actor made attempts to exploit CVE-2026-0257 against numerous diverse targets, with only a small percentage of the attempts leading to successful VPN connections.
These successful intrusions helped them generate events connected to gateways within the environments they were targeting. This showed that the attackers achieved their goal of establishing unauthorized access through the VPN infrastructure.
The vulnerability is worrisome because it removes the necessity for attackers to first get legitimate credentials before having a successful connection to a network they want to breach.
Although the activity that the security unit noticed so far appears to be the efforts by threat actors to gain access rather than executing follow-on attacks, they have issued the warning that organizations should not downplay the risk.
A hacker getting VPN access without the right authorizations can give them a foothold into enterprise environments & create many opportunities for them to carry out more malicious activity if the security teams fail to detect it.
Security teams urged to hunt for indicators of compromise
As part of the advisory from Palo Alto Networks, the company published many indicators of compromise that organizations that use PAN-OS components can rely on to identify potential attempts by threat actors to exploit them.
Unit 42 specifically implored defenders to kickstart a review of GlobalProtect logs to know if threat actors have achieved a successful login activity.
These logins will seemingly come through the many suspicious IP addresses that the team observed during exploitation efforts before a public proof-of-concept PoC became available on May 29, 2026.
IP address indicators
| IP Address | Context | Phase |
| 23.128.228[.]6 | Malicious source IP | Pre-PoC that came before May 29, 2026 |
| 104.207.144[.]154 | Malicious source IP | Pre-PoC that emerged before May 29, 2026 |
| 146.19.216[.]119 | Malicious source IP | Pre-PoC before May 29, 2026 |
| 146.19.216[.]120 | Malicious source IP | Pre-PoC before the date May 29, 2026 |
| 146.19.216[.]125 | Malicious source IP | Pre-PoC before May 29, 2026 |
| 179.43.172[.]213 | Malicious source IP | Pre-PoC |
| 185.195.232[.]139 | Malicious source IP | Pre-PoC that became available before May 29, 2026 |
| 198.12.106[.]60 | Malicious source IP | Pre-PoC prior to May 29, 2026 |
| 202.144.192[.]47 | Malicious source IP | Pre-PoC prior to May 29, 2026 |
The researchers didn’t stop there but also shared more indicators, which included hostnames plus device identifiers that they found suspicious which may appear in environments threat actors have entered.
Host-Based indicators
| Indicator | Type | Context |
| aa:bb:cc:dd:ee:ff | MAC Address | Device identifier that looks suspicious in GlobalProtect logs |
| 00:11:22:33:44:55 | MAC Address | Device identifier that looks suspicious in GlobalProtect logs |
| WINDOWS-LAPTOP-001 | Hostname | Host ID that looks suspicious in GlobalProtect logs |
| DESKTOP-GP01 | Hostname | Host ID that looks suspicious in GlobalProtect logs |
| GP-CLIENT | Hostname | host ID that looks suspicious in GlobalProtect logs |
After the publication of a proof-of-concept PoC exploit, investigators also found “hard-coded configuration values” which they also shared to help defenders point out the differences between malicious activity & normal legitimate VPN traffic.
Post-PoC hard-coded client configuration indicators
| Field | Value | Context |
| endpoint_os_version | Microsoft Windows 10 Pro 64-bit | Hard-coded in PoC exploit code |
| source_user_info.domain | (empty) | Hard-coded in PoC exploit code |
Further, Palo Alto Networks said organizations should start investigations into any events connected to gateways that have any link to the indicators it has published & kickstart the incident response process where they suspect hackers have gained access without authorization.
The company further stressed that if there is an early detection, it will be easier to avoid further exploitation of the targets.
No evidence of data theft yet, but patching remains critical
Despite having proof that attackers have been successful in some attempts to establish unauthorized VPN sessions, Unit 42 said it hasn’t seen any case of post-access activity, nor has there been any lateral movement, or data transfers in relation to the ongoing exploit campaign.
However, the researchers still maintained that even though there hasn’t been any of those things for now, affected organizations should not relax in a false sense of safety.
This is because once some attackers gain access to a network, they may likely stay dormant for a long time to carry out the first phase in cyberattack which is usually reconnaissance or they may introduce more harmful tools at a later stage.
The European Space Agency breach demonstrates how cyberattacks can lead to staff data being leaked on the dark web, emphasizing the importance of proactive patching.
To reduce the risk of such potential breach, Palo Alto Networks urges its customers to review the security advisory it has shared. Next they should implement workarounds that are currently available & upgrade to patched versions of PAN-OS as fast as they can.
Palo Alto Networks also directed organizations to more technical analysis which Rapid7 published showing more details of exploitation activity in the wild.
