Threat Research

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Unit42
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Palo Alto Networks Unit 42 reported active exploitation of CVE-2026-0257 against PAN-OS GlobalProtect portal and gateway components by an unidentified threat actor attempting to establish VPN connections. The advisory urges defenders to hunt for listed IP addresses, suspicious host identifiers, and PoC-related client values, while applying mitigations or upgrading to a fixed version. #CVE-2026-0257 #GlobalProtect #PAN-OS #Unit42

Keypoints

  • Unit 42 observed active exploitation of PAN-OS vulnerability CVE-2026-0257.
  • The flaw is an authentication bypass in the GlobalProtect portal and gateway components.
  • An unidentified threat actor appears to be attempting access to GlobalProtect and initiating VPN connections.
  • Only a small number of probed devices successfully established gateway-connected VPN sessions.
  • No post-access behavior or lateral movement has been identified so far.
  • The CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29.
  • Organizations are advised to hunt for the listed indicators, review the security advisory, and apply mitigations or upgrades.

MITRE Techniques

  • [T1133 ] External Remote Services – The actor attempted to access exposed GlobalProtect services to establish VPN connectivity (‘attempting to access GlobalProtect’ and ‘initiate VPN connections’).
  • [T1190 ] Exploit Public-Facing Application – The activity targets a public-facing PAN-OS portal/gateway flaw to gain unauthorized access (‘authentication bypass in the portal and gateway components’).

Indicators of Compromise

  • [IP addresses ] IPs to search in GlobalProtect logs for successful login connections – 23.128.228[.]6, 104.207.144[.]154, and 7 more addresses
  • [Host names ] Suspicious host IDs or device names associated with successful gateway-connected events – WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT
  • [MAC addresses ] Suspicious host identifiers listed for log hunting – aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55
  • [Client configuration values ] Hard-coded PoC client settings to match in post-PoC monitoring – endpoint_os_version: Microsoft Windows 10 Pro 64-bit, source_user_info.domain: empty

Read more: https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint