Monday , July 6 2026
GlobalProtect

CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited

Palo Alto Networks Unit 42 has given an urgent alert about the active use of CVE-2026-0257. This is a serious security hole that allows bypassing authentication in the GlobalProtect portal and gateway parts of PAN-OS software.

The flaw lets unauthenticated remote attackers bypass security measures and start unauthorized VPN connections without needing any login details.

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

Singapore major data centres, cloud providers could incur fine up to $1m

Major data center and cloud service providers might have to pay a fine of up to $1 million or up...
Read More
Singapore major data centres, cloud providers could incur fine up to $1m

IBM-managed instance breach exposes personal data of 70,000 in Singapore

The Singapore Land Authority (SLA) has announced that the personal details of around 70,000 people were leaked after someone accessed...
Read More
IBM-managed instance breach exposes personal data of 70,000 in Singapore

Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

Alibaba is said to be getting ready to ban the use of Anthropic’s Claude Code in its own systems starting...
Read More
Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint Server to its list of...
Read More
CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a 'Hall of Fame' program to honor cybersecurity researchers who safely report security flaws in government digital...
Read More
Nepal Unveils First “Hall of Fame” for Ethical Hackers

900+ Oracle E-Business instances Exposed Online

The Shadowserver Foundation found about 950 Oracle E-Business Suite (EBS) systems on the internet around the world. This discovery came...
Read More
900+ Oracle E-Business instances Exposed Online

India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

The Indian government issued a notice WhatsApp planned to roll out its new 'username' feature. They are worried about fake...
Read More
India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2026-0257 in its list of known problems on May 29, 2026, showing how serious it is and that it has been used in real attacks.

Unit 42 researchers found an unknown threat actor testing GlobalProtect-enabled devices. The attacker checked many targets, but only a few made real VPN connections, leading to gateway-related events. There is no proof of further actions, movement, or data theft right now, but it is still possible.

Organizations should quickly look for signs of problems (IOCs) in their GlobalProtect logs and start their response plans for any successful events connected to the listed signs.
Organizations must check the Palo Alto Networks security notice right away, use any available fixes, or upgrade to a fixed PAN-OS version. Rapid7 has also shared a technical report on the exploitation activity they have seen.

Threat hunters need to look at GlobalProtect logs for successful logins from these IP addresses, especially for any actions before the public PoC release on May 29, 2026:

IP Address Indicators

IP Address Context Phase
23.128.228[.]6 Malicious source IP Pre-PoC (before May 29, 2026)
104.207.144[.]154 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]119 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]120 Malicious source IP Pre-PoC (before May 29, 2026)
146.19.216[.]125 Malicious source IP Pre-PoC (before May 29, 2026)
179.43.172[.]213 Malicious source IP Pre-PoC (before May 29, 2026)
185.195.232[.]139 Malicious source IP Pre-PoC (before May 29, 2026)
198.12.106[.]60 Malicious source IP Pre-PoC (before May 29, 2026)
202.144.192[.]47 Malicious source IP Pre-PoC (before May 29, 2026)

Host-Based Indicators

Indicator Type Context
aa:bb:cc:dd:ee:ff MAC Address Suspicious device identifier in GlobalProtect logs
00:11:22:33:44:55 MAC Address Suspicious device identifier in GlobalProtect logs
WINDOWS-LAPTOP-001 Hostname Suspicious host ID in GlobalProtect logs
DESKTOP-GP01 Hostname Suspicious host ID in GlobalProtect logs
GP-CLIENT Hostname Suspicious host ID in GlobalProtect logs

Post-PoC Hard-Coded Client Configuration Indicators

Field Value Context
endpoint_os_version Microsoft Windows 10 Pro 64-bit Hard-coded in PoC exploit code
source_user_info.domain (empty) Hard-coded in PoC exploit code

Check Also

macOS

Apple fixes more than 30 iOS, macOS, and Safari flaws

Apple released security updates on Monday for iOS, macOS, and Safari. These updates fix more …