Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS^® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29.

No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.

We advise organizations to proactively hunt for the indicators of the activity specified in this report and activate incident response protocols for any successful gateway-connected events linked to these indicators. Additionally, we strongly recommend reviewing the security advisory for CVE-2026-0257, following the available workarounds and mitigations or upgrading to a version that includes a fix for this issue.

For pre-Proof of Concept release (May 29, 2026) activities, search for these IP addresses in GlobalProtect logs to look for successful login connection:

• 23.128.228[.]6
• 104.207.144[.]154
• 146.19.216[.]119
• 146.19.216[.]120
• 146.19.216[.]125
• 179.43.172[.]213
• 185.195.232[.]139
• 198.12.106[.]60
• 202.144.192[.]47

Search GlobalProtect logs for successful gateway-connected events from any IP address using suspicious host IDs or device names, including but not limited to:

• aa:bb:cc:dd:ee:ff
• 00:11:22:33:44:55
• WINDOWS-LAPTOP-001
• DESKTOP-GP01
• GP-CLIENT

As part of post-PoC release monitoring, search GlobalProtect logs for successful gateway-connected events matching the following hard-coded client configuration values from the PoC code.

• endpoint_os_version : Microsoft Windows 10 Pro 64-bit
• source_user_info.domain : empty

We encourage organizations to consult the official Palo Alto Networks Security Advisory for additional details about the vulnerability, impacted products and configuration guidance. We also recommend reading Rapid7’s technical analysis about the exploitation activity they observed in the wild.

Palo Alto Networks Cortex Xpanse is able to identify publicly exposed PAN-OS gateways and GlobalProtect portals.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

We will update this threat brief as more relevant information becomes available.

The products listed below can help protect PANW customers against exploits targeting CVE-2026-0257.

Palo Alto Networks Product Protections for PAN-OS CVE-2026-0257

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering can identify known IP addresses associated with this activity as malicious.

Cortex AgentiX

Security analysts can use natural language to prompt the Cortex AgentiX Threat Intel agent to extract file indicators from this threat brief. They can then enrich them, check for sightings in their Cortex tenant and related alerts, and provide a quick summary of the impact to the organization.

Indicators of the Activity

IP Addresses

• 23.128.228[.]6
• 104.207.144[.]154
• 146.19.216[.]119
• 146.19.216[.]120
• 146.19.216[.]125
• 179.43.172[.]213
• 185.195.232[.]139
• 198.12.106[.]60
• 202.144.192[.]47

Host Names and Mac Addresses

• aa:bb:cc:dd:ee:ff
• 00:11:22:33:44:55
• WINDOWS-LAPTOP-001
• DESKTOP-GP01
• GP-CLIENT

Additional Resources

• CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities - Palo Alto Networks
• Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257) - Rapid 7
• Known Exploited Vulnerabilities Catalog - U.S. Cybersecurity & Infrastructure Security Agency (CISA)