Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html

ONE SENTENCE SUMMARY:

Palo Alto Networks reports limited active exploitation of PAN-OS CVE-2026-0257, urging log hunting, IoC blocking, and prompt mitigation.

MAIN POINTS:

1. Palo Alto Networks observed active exploitation targeting GlobalProtect portals for unauthorized access.
2. CVE-2026-0257 is an authentication bypass in PAN-OS portal and gateway components.
3. The flaw enables attackers to bypass controls and initiate VPN connections.
4. In-the-wild exploitation has been limited, first seen on May 17, 2026.
5. Attribution remains unknown for the observed exploitation attempts.
6. No post-access activity or lateral movement has been identified so far.
7. Only a small subset of probed devices established VPN sessions and gateway-connected events.
8. Published IoCs include multiple suspicious IP addresses tied to the activity.
9. Additional IoCs list hostnames and MAC addresses associated with potential exploitation.
10. CISA added the CVE to KEV, mandating FCEB mitigation by June 1, 2026.

TAKEAWAYS:

1. Prioritize patching or mitigation for CVE-2026-0257 due to confirmed exploitation.
2. Search GlobalProtect logs for successful gateway-connected events indicating compromise.
3. Hunt for PoC-linked client values like Windows 10 Pro 64-bit and empty domain fields.
4. Block and monitor provided IPs, hostnames, and MAC addresses in security controls.
5. Use KEV deadlines to drive rapid remediation timelines and compliance reporting.