{"id":231872,"date":"2026-06-15T02:17:00","date_gmt":"2026-06-15T06:17:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/15\/palo-alto-warns-of-active-exploitation-of-pan-os-globalprotect-vpn-flaw\/"},"modified":"2026-06-15T11:20:42","modified_gmt":"2026-06-15T15:20:42","slug":"palo-alto-warns-of-active-exploitation-of-pan-os-globalprotect-vpn-flaw","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/15\/palo-alto-warns-of-active-exploitation-of-pan-os-globalprotect-vpn-flaw\/","title":{"rendered":"Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw"},"content":{"rendered":"

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/palo-alto-warns-of-active-exploitation.html<\/a><\/p>\n

Publish Date: 2026-06-15 02:17:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\ue804Ravie Lakshmanan\ue802Jun 15, 2026Vulnerability \/ VPN Security
\nPalo Alto Networks has revealed that it has observed “active exploitation” of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals.<\/p>\n

The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections.<\/p>\n

According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections.<\/p>\n

The vulnerability has been exploited in the wild in limited attacks, with initial activity observed on May 17, 2026. It’s currently unknown who is behind the exploitation efforts.<\/p>\n

“No post-access behavior or lateral movement has been identified as of this time,” Palo Alto Networks said. “Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.”<\/p>\n

The company has also released indicators of compromise (IoCs) associated with the activity –<\/p>\n

IP addresses –<\/p>\n

23.128.228[.]6
\n 104.207.144[.]154
\n 146.19.216[.]119
\n 146.19.216[.]120
\n 146.19.216[.]125
\n 179.43.172[.]213
\n 185.195.232[.]139
\n 198.12.106[.]60
\n 202.144.192[.]47<\/p>\n

Host Names and MAC Addresses –<\/p>\n

aa:bb:cc:dd:ee:ff
\n 00:11:22:33:44:55
\n WINDOWS-LAPTOP-001
\n DESKTOP-GP01
\n GP-CLIENT<\/p>\n

Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit –<\/p>\n

endpoint_os_version : Microsoft Windows 10 Pro 64-bit
\n source_user_info.domain : empty<\/p>\n

Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw https:\/\/thehackernews.com\/2026\/06\/palo-alto-warns-of-active-exploitation.html Publish Date: 2026-06-15…<\/p>\n","protected":false},"author":1,"featured_media":231874,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMFIs6j0CgFzSojDqSi_UsqRzjlbYcRsrJG714Yh40TZXU4ZzlB_Do-7nbx5WGGvOS7mV3TojQLTiHbFS57BtgCo4hlF0DebzDtrSh5YzXkqNhjEI4JG97N_vpkFzeJP3V-adbSsPYRdYCQklFdweodtTJHywVHA5HiqgvYOp5eyxW0aQxKVacua9F9w3_\/s1600\/paloalto-vpn.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,29,34,27],"class_list":["post-231872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-network-security","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231872"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231872"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231872\/revisions"}],"predecessor-version":[{"id":231876,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231872\/revisions\/231876"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231874"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}