PAN-OS Authentication Bypass Under Active Exploitation — Attackers Initiating Unauthorized VPN Sessions via GlobalProtect (CVE-2026-0257)
Palo Alto Networks Unit 42 has confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability in the portal and gateway components of PAN-OS that allows unauthorized attackers to circumvent security controls and initiate VPN connections through GlobalProtect. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 29.
An unidentified threat actor has been probing vulnerable PAN-OS deployments, though Unit 42 notes that only a small portion of probed devices actually established VPN sessions resulting in gateway-connected events. No post-access behavior or lateral movement has been identified at this time — but successful gateway connections mean the attacker has authenticated into the network perimeter, making this a critical exposure regardless of whether follow-on activity has been observed yet.
Unit 42 has identified two phases of activity. Pre-PoC exploitation (before the May 29 public proof-of-concept release) involved nine IP addresses probing GlobalProtect portals for successful login connections. The attackers used suspicious host identifiers including generic MAC addresses (aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55) and device names like WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT — values that should never appear in legitimate enterprise VPN logs.
Post-PoC activity expanded following public release of exploit code. The PoC hard-codes specific client configuration values that serve as reliable detection signatures: an endpoint OS version of "Microsoft Windows 10 Pro 64-bit" combined with an empty source_user_info.domain field. Any gateway-connected events matching these values are almost certainly exploitation attempts.
The authentication bypass affects the portal and gateway components of vulnerable PAN-OS versions, meaning any organization running GlobalProtect as its VPN solution on unpatched firmware is exposed. Palo Alto Networks Cortex Xpanse can identify publicly exposed PAN-OS gateways and GlobalProtect portals across an organization's attack surface.
Mitigation:
Hunt immediately for the nine listed IP addresses in GlobalProtect logs, focusing on successful login and gateway-connected events. Search for gateway connections using the suspicious host identifiers and MAC addresses listed above — these are not values that legitimate enterprise endpoints produce. For post-PoC detection, flag any connections reporting "Microsoft Windows 10 Pro 64-bit" as the endpoint OS with an empty domain field. Any successful gateway-connected event matching these indicators should trigger incident response. Apply the patches referenced in Palo Alto Networks' security advisory or implement the available workarounds immediately. Review Rapid7's published technical analysis for additional exploitation detail. Organizations that identify successful unauthorized VPN sessions should assume network perimeter compromise and investigate for lateral movement even if none has been publicly reported yet.
IOCs:
23.128.228[.]6, 104.207.144[.]154, 146.19.216[.]119, 146.19.216[.]120, 146.19.216[.]125, 179.43.172[.]213, 185.195.232[.]139, 198.12.106[.]60, 202.144.192[.]47
