Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw Vulnerability

“Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.” The company has also released indicators of compromise (IoCs) associated with the activity - - IP addresses - - 23.128.228[.]6 - 104.207.144[.]154 - 146.19.216[.]119 - 146.19.216[.]120 - 146.19.216[.]125 - 179.43.172[.]213 - 185.195.232[.]139 - 198.12.106[.]60 - 202.144.192[.]47 - Host Names and MAC Addresses - - aa:bb:cc:dd:ee:ff - 00:11:22:33:44:55 - WINDOWS-LAPTOP-001 - DESKTOP-GP01 - GP-CLIENT Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit - - endpoint_os_version : Microsoft Windows 10 Pro 64-bit - source_user_info.domain : empty Late last month, the U.S. The issue is tracked as CVE-2026-0257. Threat hunters should search GlobalProtect logs for successful login connections from the following IP addresses, particularly for activity predating the public PoC release on May 29, 2026: IP Address Indicators IP AddressContextPhase23.128.228[.]6Malicious source IPPre-PoC (before May 29, 2026)104.207.144[.]154Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]119Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]120Malicious source IPPre-PoC (before May 29, 2026)146.19.216[.]125Malicious source IPPre-PoC (before May 29, 2026)179.43.172[.]213Malicious source IPPre-PoC (before May 29, 2026)185.195.232[.]139Malicious source IPPre-PoC (before May 29, 2026)198.12.106[.]60Malicious source IPPre-PoC (before May 29, 2026)202.144.192[.]47Malicious source IPPre-PoC (before May 29, 2026) Host-Based Indicators IndicatorTypeContextaa:bb:cc:dd:ee:ffMAC AddressSuspicious device identifier in GlobalProtect logs00:11:22:33:44:55MAC AddressSuspicious device identifier in GlobalProtect logsWINDOWS-LAPTOP-001HostnameSuspicious host ID in GlobalProtect logsDESKTOP-GP01HostnameSuspicious host ID in GlobalProtect logsGP-CLIENTHostnameSuspicious host ID in GlobalProtect logs Post-PoC Hard-Coded Client Configuration Indicators FieldValueContextendpoint_os_versionMicrosoft Windows 10 Pro 64-bitHard-coded in PoC exploit codesource_user_info.domain(empty)Hard-coded in PoC exploit code Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The Vulnerability

The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections.

Further details indicate that palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.

Palo Alto Networks has issued an urgent warning after confirming active exploitation of a GlobalProtect VPN vulnerability, tracked as CVE-2026-0257, impacting PAN-OS deployments with specific configurations.

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a PAN-OS authentication bypass vulnerability affecting GlobalProtect portals and gateways.

“No post-access behavior or lateral movement has been identified as of this time,”, Spokesperson

Technical Details

CVEs:

• CVE-2026-0257

From a technical standpoint, the vulnerability presents several concerns:

Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, reflecting the severity and confirmed in-the-wild exploitation activity.

Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026.

Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog.

“Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.” Palo Alto Networks urges organizations to hunt for the indicators of compromise (IoCs) linked to CVE-2026-0257 exploitation and immediately investigate any successful GlobalProtect VPN connections associated with them.

Risk & Exposure

The flaw affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS, allowing attackers to bypass authentication and establish unauthorized VPN connections. The whole attack takes seconds against a vulnerable appliance. “The earliest date for observed exploitation was May 17, 2026” In 8 out of 10 impacted customers, however, the appliance accepted the forged cookie without establishing a full VPN session.

Timeline

| Date | Event | |, , |, , -| | 2026 | The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal … | | May 17, 2026 | The vulnerability has been exploited in the wild in limited attacks, with initial activity observed on May 17, 2026. | | June 1, 2026 | Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (K… | | 2026 | Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2026-0257 to its Known Exploited Vulnerabi… | | May 29, 2026 | Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (K… |

Patching & Remediation

1. Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026.

2. “Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.” reads the advisory.

3. The affected configurations share two traits: Cloud Authentication Service disabled, and authentication override cookies enabled with the cookie certificate shared with the HTTPS service.

4. The fix is straightforward: upgrade to a patched PAN-OS version, or as a stopgap, either disable the authentication override feature entirely or generate a dedicated certificate used only for cookie encryption and not shared with any other service.

5. The company recommends activating incident response procedures, reviewing affected systems, applying available mitigations, or upgrading to a patched PAN-OS version.

6. Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices.

Analysis

This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.

Sources

1. https://nvd.nist.gov/vuln/detail/CVE-2026-0257
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0257