Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
https://cybersecuritynews.com/palo-alto-vpn-vulnerability-exploited/
Publish Date: 2026-06-15 04:04:00
Source Domain: cybersecuritynews.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.
The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open.
Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.
Organizations should immediately review the official Palo Alto Networks security advisory, apply available workarounds, or upgrade to a patched PAN-OS version. Rapid7 has also published a technical analysis of observed exploitation activity in the wild.
Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026:
IP Address Indicators
IP AddressContextPhase23.128.228[.]6Malicious source IPPre-PoC (before May 29, 2026)104.207.144[.]154Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]119Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]120Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]125Malicious source IPPre-PoC (before May 29, 2026)179.43.172[.]213Malicious source IPPre-PoC (before May 29, 2026)185.195.232[.]139Malicious source IPPre-PoC (before May 29, 2026)198.12.106[.]60Malicious source IPPre-PoC (before May 29, 2026)202.144.192[.]47Malicious source IPPre-PoC (before May 29, 2026)
Host-Based Indicators
IndicatorTypeContextaa:bb:cc:dd:ee:ffMAC AddressSuspicious device identifier in GlobalProtect logs00:11:22:33:44:55MAC AddressSuspicious device identifier in GlobalProtect logsWINDOWS-LAPTOP-001HostnameSuspicious host ID in GlobalProtect logsDESKTOP-GP01HostnameSuspicious host ID in GlobalProtect logsGP-CLIENTHostnameSuspicious host ID in GlobalProtect logs
Post-PoC Hard-Coded Client Configuration Indicators
FieldValueContextendpoint_os_versionMicrosoft Windows 10 Pro 64-bitHard-coded in PoC exploit codesource_user_info.domain(empty)Hard-coded in PoC exploit code
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
