Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Cybersecurity NewsArchived Jun 15, 2026✓ Full text saved
Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials. The U.S. Cybersecurity and Infrastructure Security […] The post Palo Alto Warns of GlobalProtect VPN Vulnerability Ac
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
By Guru Baran
June 15, 2026
Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.
The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open.
Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.
Organizations should immediately review the official Palo Alto Networks security advisory, apply available workarounds, or upgrade to a patched PAN-OS version. Rapid7 has also published a technical analysis of observed exploitation activity in the wild.
Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026:
IP Address Indicators
IP Address Context Phase
23.128.228[.]6 Malicious source IP Pre-PoC (before May 29, 2026)
104.207.144[.]154 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]119 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]120 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]125 Malicious source IP Pre-PoC (before May 29, 2026)
179.43.172[.]213 Malicious source IP Pre-PoC (before May 29, 2026)
185.195.232[.]139 Malicious source IP Pre-PoC (before May 29, 2026)
198.12.106[.]60 Malicious source IP Pre-PoC (before May 29, 2026)
202.144.192[.]47 Malicious source IP Pre-PoC (before May 29, 2026)
Host-Based Indicators
Indicator Type Context
aa:bb:cc:dd:ee:ff MAC Address Suspicious device identifier in GlobalProtect logs
00:11:22:33:44:55 MAC Address Suspicious device identifier in GlobalProtect logs
WINDOWS-LAPTOP-001 Hostname Suspicious host ID in GlobalProtect logs
DESKTOP-GP01 Hostname Suspicious host ID in GlobalProtect logs
GP-CLIENT Hostname Suspicious host ID in GlobalProtect logs
Post-PoC Hard-Coded Client Configuration Indicators
Field Value Context
endpoint_os_version Microsoft Windows 10 Pro 64-bit Hard-coded in PoC exploit code
source_user_info.domain (empty) Hard-coded in PoC exploit code
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs
Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity
Anthropic Released Claude Fable 5, the First Model in Mythos Class
21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks
New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework
Latest News
Uncategorized
Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management
Cyber Security
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
Chrome
152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic
AI
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
Cyber Security
BugHunter – Bug Bounty Toolkit Powered by Claude and Free AI Providers