Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29. No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events. We advise organizations to proactively hunt for the indicators of the activity specified in this report and activate incident response protocols for any successful gateway-connected events linked to these indicators. Additionally, we strongly recommend reviewing the security advisory for CVE-2026-0257, following the available workarounds and mitigations or upgrading to a version that includes a fix for this issue. For pre-Proof of Concept release (May 29, 2026) activities, search for these IP addresses in GlobalProtect logs to look for successful login connection: 23.128.228[.]6 104.207.144[.]154 146.19.216[.]119 146.19.216[.]120 146.19.216[.]125 179.43.172[.]213 185.195.232[.]139 198.12.106[.]60 202.144.192[.]47 Search GlobalProtect logs for successful gateway-connected events from any IP address using suspicious host IDs or device names, including but not limited to: aa:bb:cc:dd:ee:ff 00:11:22:33:44:55 WINDOWS-LAPTOP-001 DESKTOP-GP01 GP-CLIENT As part of post-PoC release monitoring, search GlobalProtect logs for successful gateway-connected events matching the following hard-coded client configuration values from the PoC code. endpoint_os_version : Microsoft Windows 10 Pro 64-bit source_user_info.domain : empty We encourage organizations to consult the official Palo Alto Networks Security Advisory for additional details about the vulnerability, impacted products and configuration guidance. We also recommend reading Rapid7’s technical analysis about the exploitation activity they observed in the wild. Palo Alto Networks Cortex Xpanse is able to identify publicly exposed PAN-OS gateways and GlobalProtect portals. Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. We will update this threat brief as more relevant information becomes available. The products listed below can help protect PANW customers against exploits targeting CVE-2026-0257. Palo Alto Networks Product Protections for PAN-OS CVE-2026-0257 Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat. If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 000 800 050 45107 South Korea: +82.080.467.8774 Cloud-Delivered Security Services for the Next-Generation Firewall Advanced URL Filtering can identify known IP addresses associated with this activity as malicious. Cortex AgentiX Security analysts can use natural language to prompt the Cortex AgentiX Threat Intel agent to extract file indicators from this threat brief. They can then enrich them, check for sightings in their Cortex tenant and related alerts, and provide a quick summary of the impact to the organization. Indicators of the Activity IP Addresses 23.128.228[.]6 104.207.144[.]154 146.19.216[.]119 146.19.216[.]120 146.19.216[.]125 179.43.172[.]213 185.195.232[.]139 198.12.106[.]60 202.144.192[.]47 Host Names and Mac Addresses aa:bb:cc:dd:ee:ff 00:11:22:33:44:55 WINDOWS-LAPTOP-001 DESKTOP-GP01 GP-CLIENT Additional Resources CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities - Palo Alto Networks Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257) - Rapid 7 Known Exploited Vulnerabilities Catalog - U.S. Cybersecurity & Infrastructure Security Agency (CISA) Back to top TAGS CVE-2026-0257 Vulnerability Threat Research Center Next: The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) TABLE OF CONTENTS Palo Alto Networks Product Protections for PAN-OS CVE-2026-0257 Cloud-Delivered Security Services for the Next-Generation Firewall Cortex AgentiX Indicators of the Activity Additional Resources RELATED ARTICLES Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Related Vulnerabilities Resources HIGH PROFILE THREATS January 13, 2026 Threat Brief: MongoDB Vulnerability (CVE-2025-14847) CVE-2025-14847 MongoDB Read now THREAT RESEARCH January 13, 2026 Remote Code Execution With Modern AI/ML Formats and Libraries Apple CVE-2025-23304 CVE-2026-22584 Read now HIGH PROFILE THREATS December 12, 2025 Exploitation of Critical Vulnerability in React Server Components (Updated December 12) Cobalt Strike CVE-2025-55182 CVE-2025-66478 Read now HIGH PROFILE THREATS May 6, 2026 Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution CVE-2026-0300 EarthWorm PAN-OS Read now HIGH PROFILE THREATS May 5, 2026 Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Containers CVE-2026-31431 Kubernetes Read now THREAT RESEARCH April 16, 2026 A Deep Dive Into Attempted Exploitation of CVE-2023-33538 Botnet Command injection CVE-2023-33538 Read now HIGH PROFILE THREATS February 19, 2026 VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) Bash CVE-2026-1731 PowerShell Read now HIGH PROFILE THREATS February 17, 2026 Critical Vulnerabilities in Ivanti EPMM Exploited CVE-2026-1281 CVE-2026-1340 Ivanti Read now THREAT RESEARCH January 30, 2026 Privileged File System Vulnerability Present in a SCADA System CVE-2025-0921 Privilege escalation SCADA Read now HIGH PROFILE THREATS January 13, 2026 Threat Brief: MongoDB Vulnerability (CVE-2025-14847) CVE-2025-14847 MongoDB Read now THREAT RESEARCH January 13, 2026 Remote Code Execution With Modern AI/ML Formats and Libraries Apple CVE-2025-23304 CVE-2026-22584 Read now HIGH PROFILE THREATS December 12, 2025 Exploitation of Critical Vulnerability in React Server Components (Updated December 12) Cobalt Strike CVE-2025-55182 CVE-2025-66478 Read now HIGH PROFILE THREATS May 6, 2026 Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution CVE-2026-0300 EarthWorm PAN-OS Read now HIGH PROFILE THREATS May 5, 2026 Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Containers CVE-2026-31431 Kubernetes Read now THREAT RESEARCH April 16, 2026 A Deep Dive Into Attempted Exploitation of CVE-2023-33538 Botnet Command injection CVE-2023-33538 Read now HIGH PROFILE THREATS February 19, 2026 VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) Bash CVE-2026-1731 PowerShell Read now HIGH PROFILE THREATS February 17, 2026 Critical Vulnerabilities in Ivanti EPMM Exploited CVE-2026-1281 CVE-2026-1340 Ivanti Read now THREAT RESEARCH January 30, 2026 Privileged File System Vulnerability Present in a SCADA System CVE-2025-0921 Privilege escalation SCADA Read now HIGH PROFILE THREATS January 13, 2026 Threat Brief: MongoDB Vulnerability (CVE-2025-14847) CVE-2025-14847 MongoDB Read now THREAT RESEARCH January 13, 2026 Remote Code Execution With Modern AI/ML Formats and Libraries Apple CVE-2025-23304 CVE-2026-22584 Read now HIGH PROFILE THREATS December 12, 2025 Exploitation of Critical Vulnerability in React Server Components (Updated December 12) Cobalt Strike CVE-2025-55182 CVE-2025-66478 Read now