A critical vulnerability in Palo Alto Networks' PAN-OS software is being actively exploited in the wild, allowing unauthenticated attackers to bypass authentication controls and establish unauthorized VPN connections through GlobalProtect portals and gateways. Palo Alto Networks' threat intelligence division, Unit 42, confirmed the exploitation activity and identified a cluster of malicious source IPs used in pre-disclosure probing campaigns. The U.S. Cybersecurity and Infrastructure Security Agency added the flaw - tracked as CVE-2026-0257 - to its Known Exploited Vulnerabilities catalog on May 29, 2026, a move that carries formal remediation obligations for federal agencies and signals high-confidence confirmation of in-the-wild abuse.
What the Vulnerability Does and Why It Is Serious
Authentication bypass vulnerabilities occupy a particular tier of severity in enterprise security because they remove the most fundamental control point entirely. Rather than exploiting a misconfiguration or weak credential, an attacker exploiting CVE-2026-0257 needs no credentials at all. The flaw resides in the GlobalProtect portal and gateway components - the external-facing interfaces organizations expose specifically to allow remote workers to connect to internal networks over encrypted VPN tunnels.
GlobalProtect is widely deployed across large enterprises, government agencies, critical infrastructure operators, and financial institutions. It functions as the primary remote access mechanism for PAN-OS-based firewall infrastructure, meaning a successful bypass does not merely expose a peripheral service - it places an attacker inside the network perimeter at a point of high privilege and connectivity. The fact that exploitation requires no prior authentication, no social engineering, and no insider access makes the attack surface unusually broad.
Unit 42 researchers observed an unidentified threat actor conducting broad reconnaissance across GlobalProtect-enabled devices. Probing activity preceded the public release of a proof-of-concept exploit by at least several days, indicating that sophisticated actors were aware of and testing the vulnerability before it became publicly weaponizable. Of the targets probed, only a subset resulted in actual gateway-connected events - meaning full, authenticated-equivalent VPN sessions were established. No confirmed post-access activity, lateral movement, or data exfiltration has been documented at this stage, though Unit 42 emphasizes that the window for follow-on action remains open.
Threat Indicators: What to Look For in Your Logs
Organizations running GlobalProtect should treat log review as an immediate priority, not a scheduled task. Unit 42 has published a set of network-layer and host-based indicators associated with the observed exploitation activity. Crucially, defenders should search for connections predating May 29, 2026 - the date the proof-of-concept became public - since pre-PoC activity is a strong signal of targeted, non-opportunistic exploitation rather than automated scanning that followed public disclosure.
The following IP addresses have been identified as malicious source IPs involved in pre-PoC exploitation attempts. They should be blocked at the perimeter and searched across GlobalProtect authentication and session logs:
- 23[.]128[.]228[.]6
- 104[.]207[.]144[.]154
- 146[.]19[.]216[.]119
- 146[.]19[.]216[.]120
- 146[.]19[.]216[.]125
- 179[.]43[.]172[.]213
- 185[.]195[.]232[.]139
- 198[.]12[.]106[.]60
- 202[.]144[.]192[.]47
These indicators are presented in defanged format. Re-fang them only within controlled threat intelligence platforms such as MISP, VirusTotal, or your organization's SIEM before conducting lookups or correlation.
Beyond network-layer indicators, defenders should examine host identifiers appearing in GlobalProtect session logs. The following MAC addresses and hostnames have been flagged as suspicious device identifiers associated with exploitation activity:
- MAC addresses:
aa:bb:cc:dd:ee:ffand00:11:22:33:44:55 - Hostnames:
WINDOWS-LAPTOP-001,DESKTOP-GP01, andGP-CLIENT
Post-PoC activity carries an additional signature drawn from hard-coded values embedded in the publicly released exploit code. Any GlobalProtect session logging an endpoint_os_version of Microsoft Windows 10 Pro 64-bit combined with an empty source_user_info.domain field warrants immediate investigation, since this combination reflects the static client configuration baked into the proof-of-concept rather than a genuine endpoint profile.
Immediate Response Priorities
The combination of CISA's KEV listing, confirmed pre-PoC exploitation, and publicly available proof-of-concept code compresses the response window sharply. Organizations that have not yet patched or applied vendor-recommended workarounds should treat this as an active incident posture, not a patch-cycle item.
Rapid7 has independently published technical analysis of observed exploitation in the wild, providing additional context on attack mechanics. Palo Alto Networks has issued a formal security advisory detailing patched PAN-OS versions and available workarounds for environments where immediate upgrading is not operationally feasible.
Recommended immediate actions:
- Review the official Palo Alto Networks security advisory and apply the patched PAN-OS version or documented workaround without delay.
- Search GlobalProtect authentication and session logs for connections from all nine malicious IPs listed above, with particular focus on activity before May 29, 2026.
- Flag and investigate any session records matching the suspicious MAC addresses, hostnames, or hard-coded PoC client values described above.
- For any confirmed gateway-connected events tied to these indicators, activate incident response protocols immediately - do not wait for evidence of post-access activity before escalating.
- Consider temporarily restricting GlobalProtect portal and gateway exposure to known IP ranges if patching cannot be completed immediately, accepting the operational constraints that entails.
The absence of confirmed lateral movement or exfiltration at this stage should not be read as containment. In network intrusion campaigns, initial access is frequently staged quietly ahead of a secondary phase. The pre-PoC timeline suggests at least some portion of this activity was deliberate and targeted rather than automated opportunism - which raises the probability that affected organizations face a persistent threat actor with a specific objective, not merely a scanner harvesting access for later resale.
