CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

The Hacker News Archived Jun 15, 2026 ✓ Full text saved

Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad

Full text archived locally
✦ AI Summary · Claude Sonnet


    Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Ravie LakshmananJun 15, 2026Vulnerability / VPN Security Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections. According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections. The vulnerability has been exploited in the wild in limited attacks, with initial activity observed on May 17, 2026. It's currently unknown who is behind the exploitation efforts. "No post-access behavior or lateral movement has been identified as of this time," Palo Alto Networks said. "Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events." The company has also released indicators of compromise (IoCs) associated with the activity - IP addresses - 23.128.228[.]6 104.207.144[.]154 146.19.216[.]119 146.19.216[.]120 146.19.216[.]125 179.43.172[.]213 185.195.232[.]139 198.12.106[.]60 202.144.192[.]47 Host Names and MAC Addresses - aa:bb:cc:dd:ee:ff 00:11:22:33:44:55 WINDOWS-LAPTOP-001 DESKTOP-GP01 GP-CLIENT Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit - endpoint_os_version : Microsoft Windows 10 Pro 64-bit source_user_info.domain : empty Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Authentication bypass, CISA, cybersecurity, GlobalProtect, network security, Palo Alto Networks, PAN-OS, VPN Security, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Load More ▼ ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo] Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗