Palo Alto Networks has identified active exploitation of a recently disclosed vulnerability in its PAN-OS software, specifically targeting the GlobalProtect VPN feature. The flaw, designated as CVE-2026-0257 with a CVSS score of 7.8, allows unauthorized attackers to bypass authentication mechanisms in the GlobalProtect portal and gateway components, potentially establishing unauthorized VPN connections.
The company observed initial exploitation activities beginning on May 17, 2026. While the identity of the threat actors remains unknown, the attacks have been limited in scope. Notably, only a small fraction of the targeted devices have established VPN sessions, and there has been no evidence of further malicious actions or lateral movement within affected networks.
To assist organizations in identifying potential compromises, Palo Alto Networks has released specific indicators of compromise (IoCs). These include a list of IP addresses associated with the exploit attempts:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
Additionally, the company has identified specific hostnames and MAC addresses linked to the exploit:
- aa:bb:cc:dd:ee:ff
- 00:11:22:33:44:55
- WINDOWS-LAPTOP-001
- DESKTOP-GP01
- GP-CLIENT
Organizations are advised to scrutinize their GlobalProtect logs for successful gateway connections that match these IoCs. Particular attention should be given to client configurations exhibiting the following characteristics:
- Operating System Version: Microsoft Windows 10 Pro 64-bit
- Source User Information Domain: Empty
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. Federal Civilian Executive Branch (FCEB) agencies were mandated to mitigate this vulnerability by June 1, 2026.
Given the critical nature of this vulnerability and its active exploitation, it is imperative for organizations utilizing PAN-OS with GlobalProtect configurations to take immediate action. Reviewing and applying the latest security advisories, implementing recommended mitigations, and monitoring network logs for the provided IoCs are essential steps to safeguard against potential unauthorized access and ensure the integrity of network infrastructures.
