Palo Alto Networks said it has seen active exploitation of a recently disclosed PAN-OS vulnerability, CVE-2026-0257, in limited attacks against GlobalProtect portals, with initial activity observed on May 17, 2026 and at least some attempts leading to VPN session establishment.
KEY FACTS
- Vulnerability CVE-2026-0257 is an authentication bypass issue in PAN-OS portal and gateway components.
- Impact The flaw could let attackers bypass security controls and set up VPN connections.
- Activity Palo Alto said the attacks were limited and the actor is unknown.
- Scope Only a small portion of probed devices established VPN sessions.
- Indicators The company published IP addresses, host names and MAC addresses tied to the activity.
According to a technical analysis from Palo Alto Networks, the exploitation aimed at unauthorized access to GlobalProtect portals. The company said no post-access behavior or lateral movement has been identified so far.
Palo Alto also released indicators of compromise tied to the activity, including multiple IP addresses and several host names and MAC addresses. It urged customers to review GlobalProtect logs for successful gateway-connected events that match hard-coded client settings seen in a proof-of-concept exploit, including Microsoft Windows 10 Pro 64-bit and an empty source_user_info.domain field.
Late last month, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and told Federal Civilian Executive Branch agencies to mitigate the flaw by June 1, 2026.
WHY IT MATTERS
The disclosure shows that a high-severity VPN authentication flaw is already being used in the wild, which can widen exposure for organizations that rely on GlobalProtect. The published indicators and log-search guidance give defenders concrete steps to check for compromise and limit further access.