Palo Alto Networks reported the active exploitation of vulnerability CVE-2026-0257 in the GlobalProtect portal and gateway components of GlobalProtect — a VPN solution widely used to provide remote access to corporate networks. The vulnerability allows authentication bypass and the establishment of unauthorized VPN connections. According to the researchers, exploitation is limited in scope; however, organizations using PAN-OS with GlobalProtect must immediately check logs for indicators of compromise and apply available updates.
Technical details of the vulnerability
CVE-2026-0257 (NVD) is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway components in PAN-OS software. According to Palo Alto Networks, the CVSS score is 7.8, which corresponds to a high severity level.
The essence of the vulnerability lies in the ability to bypass security control mechanisms, allowing an attacker to initiate VPN connections without undergoing proper authentication. This is an inherently dangerous attack vector: successful exploitation grants the attacker network access equivalent to that of a legitimate remote employee.
Affected products:
- PAN-OS — the operating system of Palo Alto Networks firewalls
- GlobalProtect portal — the portal for managing VPN connections
- GlobalProtect gateway — the VPN connection gateway
Note: The specific affected PAN-OS versions were not specified in the publicly available sources at the time of publication. It is recommended to consult the vendor’s official advisories to determine applicability to your infrastructure.
Observed exploitation activity
According to Palo Alto Networks’ Unit 42 team, the first signs of exploitation in the wild were recorded on May 17, 2026. The attacks are described as limited in scale. An important detail: only a small portion of the probed devices actually established VPN sessions, which resulted in gateway-connected events.
At the time of the report’s publication, Palo Alto Networks stated that no post-exploitation activity or lateral movement had been observed. This may indicate an early stage of the campaign — a reconnaissance and access-testing phase — or that the attackers have not yet moved on to active operations within compromised networks. Threat attribution is currently absent: the responsible actor has not been identified.
It is important to stress that the absence of observed lateral movement does not mean there is no threat. An established VPN connection provides the attacker with a foothold for subsequent actions, and a delay between gaining access and using it is a common tactic of advanced groups.
Indicators of compromise
Palo Alto Networks has published the following IP addresses associated with the observed activity:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
In addition, the researchers recommend searching GlobalProtect logs for successful gateway connection events that match the hard-coded client configuration parameters from the public exploit (PoC):
endpoint_os_version: Microsoft Windows 10 Pro 64-bitsource_user_info.domain: empty value
The combination of these two parameters — a specific OS version and the absence of domain information — is a characteristic sign of the PoC exploit being used. If all legitimate GlobalProtect connections in your organization come from domain accounts, an empty domain field for a successful connection is a clear red flag.
Impact assessment
GlobalProtect is one of the most widespread corporate VPN solutions, used by organizations across various industries worldwide. An authentication bypass vulnerability in a remote access component is particularly dangerous for several reasons:
- Direct access to the corporate network: successful exploitation removes the main barrier — authentication — granting the attacker network access indistinguishable from that of a legitimate user
- Portal and gateway components are, by definition, exposed to the internet: this is required for VPN operation, making them attractive targets for mass scanning
- Availability of a public PoC: the hard-coded client configuration parameters in the exploit lower the entry barrier for less skilled attackers
The highest risk is faced by organizations running outdated PAN-OS versions that have not applied the relevant updates, as well as those that do not monitor GlobalProtect gateway connection events.
Practical recommendations
Immediate actions
- Check GlobalProtect logs for gateway-connected events with the PoC parameters listed above (OS version “Microsoft Windows 10 Pro 64-bit” with an empty user domain)
- Block the listed IP addresses on perimeter security tools. Before blocking, make sure these addresses are not used by legitimate services in your infrastructure
- Apply PAN-OS updates that remediate CVE-2026-0257 in accordance with the vendor’s recommendations
Additional measures
- Perform a retrospective log analysis starting from May 17, 2026 — the date of the first recorded exploitation
- If suspicious VPN sessions are found, investigate for signs of post-exploitation activity in the affected network segments, despite Palo Alto Networks’ statement about the absence of lateral movement
- Consider enabling multi-factor authentication for GlobalProtect if it is not already configured — this creates an additional barrier even when the main authentication mechanism is bypassed
- Configure alerts for gateway connection events with anomalous client parameters
Organizations using PAN-OS with GlobalProtect should treat this vulnerability as a remediation priority. The combination of confirmed exploitation in the wild, a public PoC, and direct impact on the security perimeter creates a set of factors that demand prompt response. The key action is the immediate review of GlobalProtect logs using the published indicators, in parallel with applying PAN-OS updates.
