Palo Alto Networks’ Unit 42 threat research team has documented active exploitation of CVE-2026-0257, an authentication bypass vulnerability in the portal and gateway components of PAN-OS. An unidentified threat actor is leveraging the flaw to circumvent security controls and initiate unauthorized VPN connections through GlobalProtect.

Scope of Activity

The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. While probing activity has been observed across a range of devices, only a small subset of those probed actually completed VPN sessions and generated gateway-connected events. Unit 42 reports no confirmed post-access behavior or lateral movement at this time, though the investigation is ongoing.

Indicators of Compromise

Organizations should search GlobalProtect logs for successful login or gateway-connected events associated with the following IP addresses, which were active prior to public proof-of-concept (PoC) release on May 29:

  • 23.128.228[.]6
  • 104.207.144[.]154
  • 146.19.216[.]119
  • 146.19.216[.]120
  • 146.19.216[.]125
  • 179.43.172[.]213
  • 185.195.232[.]139
  • 198.12.106[.]60
  • 202.144.192[.]47

Logs should also be reviewed for gateway-connected events using any of the following suspicious host identifiers, regardless of source IP:

  • aa:bb:cc:dd:ee:ff
  • 00:11:22:33:44:55
  • WINDOWS-LAPTOP-001
  • DESKTOP-GP01
  • GP-CLIENT

Following the PoC release, defenders should additionally search for gateway-connected events matching hard-coded client configuration values present in the PoC code: an endpoint_os_version value of Microsoft Windows 10 Pro 64-bit combined with an empty source_user_info.domain field.

Recommended Actions

Unit 42 urges organizations to take the following steps immediately:

  • Proactively hunt for the indicators listed above in GlobalProtect logs.
  • Activate incident response protocols for any confirmed gateway-connected events tied to these indicators.
  • Apply available workarounds and mitigations from the official Palo Alto Networks security advisory, or upgrade to a patched PAN-OS version.
  • Use Cortex Xpanse to identify any publicly exposed PAN-OS gateways or GlobalProtect portals in your attack surface.

Product Protections

Palo Alto Networks’ Advanced URL Filtering can flag known malicious IP addresses associated with this campaign. Cortex XDR and XSIAM provide behavioral threat protection and AI-driven analysis to help block post-exploit activity across Windows, Linux, and macOS endpoints. Rapid7 has also published independent technical analysis of observed exploitation activity in the wild.