CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials. The U.S. Cybersecurity and Infrastructure Security […] The post Palo Alto Warns of GlobalProtect VPN Vulnerability Ac

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild By Guru Baran June 15, 2026 Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized VPN connections without requiring any credentials. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity. Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. While the attacker successfully probed a broad set of targets, only a small portion established actual VPN sessions, resulting in gateway-connected events. No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time, but the window remains open. Organizations are urged to immediately hunt for indicators of compromise (IOCs) in their GlobalProtect logs and activate incident response protocols for any successful gateway-connected events tied to the listed indicators. Organizations should immediately review the official Palo Alto Networks security advisory, apply available workarounds, or upgrade to a patched PAN-OS version. Rapid7 has also published a technical analysis of observed exploitation activity in the wild. Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026: IP Address Indicators IP Address Context Phase 23.128.228[.]6 Malicious source IP Pre-PoC (before May 29, 2026) 104.207.144[.]154 Malicious source IP Pre-PoC (before May 29, 2026) 146.19.216[.]119 Malicious source IP Pre-PoC (before May 29, 2026) 146.19.216[.]120 Malicious source IP Pre-PoC (before May 29, 2026) 146.19.216[.]125 Malicious source IP Pre-PoC (before May 29, 2026) 179.43.172[.]213 Malicious source IP Pre-PoC (before May 29, 2026) 185.195.232[.]139 Malicious source IP Pre-PoC (before May 29, 2026) 198.12.106[.]60 Malicious source IP Pre-PoC (before May 29, 2026) 202.144.192[.]47 Malicious source IP Pre-PoC (before May 29, 2026) Host-Based Indicators Indicator Type Context aa:bb:cc:dd:ee:ff MAC Address Suspicious device identifier in GlobalProtect logs 00:11:22:33:44:55 MAC Address Suspicious device identifier in GlobalProtect logs WINDOWS-LAPTOP-001 Hostname Suspicious host ID in GlobalProtect logs DESKTOP-GP01 Hostname Suspicious host ID in GlobalProtect logs GP-CLIENT Hostname Suspicious host ID in GlobalProtect logs Post-PoC Hard-Coded Client Configuration Indicators Field Value Context endpoint_os_version Microsoft Windows 10 Pro 64-bit Hard-coded in PoC exploit code source_user_info.domain (empty) Hard-coded in PoC exploit code Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity Anthropic Released Claude Fable 5, the First Model in Mythos Class 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework Latest News Uncategorized Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Cyber Security Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings Chrome 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic AI New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server Cyber Security BugHunter – Bug Bounty Toolkit Powered by Claude and Free AI Providers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗