InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks Unit 42 has given an urgent alert about the active use of CVE-2026-0257. This is a serious security hole that allows bypassing authentication in the GlobalProtect portal and gateway parts of PAN-OS software.
The flaw lets unauthenticated remote attackers bypass security measures and start unauthorized VPN connections without needing any login details.
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited
BD Gov.t to set up Tk192.66cr AI hub with support from Koica
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication
Anthropic disables Fable 5 and Mythos 5 Access after US order limiting foreign access
Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty
Chrome 149 fixes 28 flaws, including critical UAF bugs
Dahua patches multiple critical vulnerabilities in its products
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2026-0257 in its list of known problems on May 29, 2026, showing how serious it is and that it has been used in real attacks.
Unit 42 researchers found an unknown threat actor testing GlobalProtect-enabled devices. The attacker checked many targets, but only a few made real VPN connections, leading to gateway-related events. There is no proof of further actions, movement, or data theft right now, but it is still possible.
Organizations should quickly look for signs of problems (IOCs) in their GlobalProtect logs and start their response plans for any successful events connected to the listed signs.
Organizations must check the Palo Alto Networks security notice right away, use any available fixes, or upgrade to a fixed PAN-OS version. Rapid7 has also shared a technical report on the exploitation activity they have seen.
Threat hunters need to look at GlobalProtect logs for successful logins from these IP addresses, especially for any actions before the public PoC release on May 29, 2026:
IP Address Indicators
| IP Address | Context | Phase |
|---|---|---|
| 23.128.228[.]6 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 104.207.144[.]154 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]119 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]120 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 146.19.216[.]125 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 179.43.172[.]213 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 185.195.232[.]139 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 198.12.106[.]60 | Malicious source IP | Pre-PoC (before May 29, 2026) |
| 202.144.192[.]47 | Malicious source IP | Pre-PoC (before May 29, 2026) |
Host-Based Indicators
| Indicator | Type | Context |
|---|---|---|
| aa:bb:cc:dd:ee:ff | MAC Address | Suspicious device identifier in GlobalProtect logs |
| 00:11:22:33:44:55 | MAC Address | Suspicious device identifier in GlobalProtect logs |
| WINDOWS-LAPTOP-001 | Hostname | Suspicious host ID in GlobalProtect logs |
| DESKTOP-GP01 | Hostname | Suspicious host ID in GlobalProtect logs |
| GP-CLIENT | Hostname | Suspicious host ID in GlobalProtect logs |
Post-PoC Hard-Coded Client Configuration Indicators
| Field | Value | Context |
|---|---|---|
| endpoint_os_version | Microsoft Windows 10 Pro 64-bit | Hard-coded in PoC exploit code |
| source_user_info.domain | (empty) | Hard-coded in PoC exploit code |
