Overview
Palo Alto Networks has confirmed active exploitation of a recently disclosed PAN‑OS vulnerability — CVE‑2026‑0257 — that allows unauthorized access to GlobalProtect VPN portals. The flaw, rated CVSS 7.8, is an authentication bypass affecting the portal and gateway components of PAN‑OS. Attackers can leverage it to initiate VPN connections without valid credentials, bypassing security controls entirely.
Vulnerability Details
| Attribute | Description |
|---|---|
| CVE ID | CVE‑2026‑0257 |
| Severity | CVSS 7.8 – High |
| Type | Authentication Bypass |
| Affected Components | GlobalProtect Portal and Gateway |
| First Observed Exploitation | May 17, 2026 |
| Threat Actor | Unknown (under investigation) |
The vulnerability permits attackers to set up unauthorized VPN sessions and gain gateway‑level access. While the scope of exploitation remains limited, the activity marks a serious risk for organizations running unpatched PAN‑OS instances.
Exploitation Activity
Palo Alto Networks observed probing and connection attempts against GlobalProtect portals beginning mid‑May. Only a small portion of devices established VPN sessions, and no lateral movement or post‑access behavior has been detected so far.
“Only a small portion of the probed devices actually established VPN sessions, resulting in gateway‑connected events,” the company noted.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE‑2026‑0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to mitigate the flaw by June 1, 2026.
Indicators of Compromise (IoCs)
Organizations should review GlobalProtect logs for gateway‑connected events matching the following hard‑coded client configuration values from a PoC exploit:
| Parameter | Value |
|---|---|
endpoint_os_version | Microsoft Windows 10 Pro 64‑bit |
source_user_info.domain | empty |
Suspicious IP Addresses: 23.128.228[.]6 | 104.207.144[.]154 | 146.19.216[.]119 | 146.19.216[.]120 | 146.19.216[.]125 | 179.43.172[.]213 | 185.195.232[.]139 | 198.12.106[.]60 | 202.144.192[.]47
Host Names / MAC Addresses: WINDOWS‑LAPTOP‑001, DESKTOP‑GP01, GP‑CLIENT, aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55
(Indicators are defanged to prevent accidental resolution. Re‑fang only within controlled threat intelligence platforms.)
Mitigation and Recommendations
Palo Alto Networks has released patches for all affected PAN‑OS versions. Administrators should act immediately:
- Update PAN‑OS → Apply the latest security update to GlobalProtect portals and gateways.
- Audit VPN Logs → Search for unauthorized gateway‑connected events matching PoC values.
- Restrict Access → Limit portal exposure to trusted IP ranges only.
- Enable Multi‑Factor Authentication → Add MFA for all VPN users to reduce credential abuse.
- Monitor for Anomalies → Watch for unexpected VPN sessions or configuration changes.
Expert in the Cloud Insight
This incident underscores a critical truth in VPN security: authentication bypass flaws turn trusted gateways into attack vectors. Even limited exploitation can grant attackers a foothold inside corporate networks.
For security leaders, the lesson is clear — patch VPN infrastructure as aggressively as you patch firewalls. GlobalProtect is often the first line of defense for remote access; when its authentication layer fails, the entire network is exposed.
Leave a Reply