{"id":1305,"date":"2026-06-15T08:37:03","date_gmt":"2026-06-15T08:37:03","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1305"},"modified":"2026-06-15T08:37:03","modified_gmt":"2026-06-15T08:37:03","slug":"palo-alto-warns-of-active-exploitation-of-pan-os-globalprotect-vpn-flaw","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1305","title":{"rendered":"Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Jun 15, 2026<\/span><\/span>Vulnerability \/ VPN Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Palo Alto Networks has revealed that it has observed \u00abactive exploitation\u00bb of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect<\/a> portals.<\/p>\n

The vulnerability in question is CVE-2026-0257<\/b> (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections.<\/p>\n

According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections.<\/p>\n

The vulnerability has been exploited in the wild in limited attacks, with initial activity observed on May 17, 2026. It’s currently unknown who is behind the exploitation efforts.<\/p>\n

\u00abNo post-access behavior or lateral movement has been identified as of this time,\u00bb Palo Alto Networks said<\/a>. \u00abOnly a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The company has also released indicators of compromise (IoCs) associated with the activity –<\/p>\n

    \n
  • \n IP addresses –<\/p>\n
      \n
    • 23.128.228[.]6<\/li>\n
    • 104.207.144[.]154<\/li>\n
    • 146.19.216[.]119<\/li>\n
    • 146.19.216[.]120<\/li>\n
    • 146.19.216[.]125<\/li>\n
    • 179.43.172[.]213<\/li>\n
    • 185.195.232[.]139<\/li>\n
    • 198.12.106[.]60<\/li>\n
    • 202.144.192[.]47<\/li>\n<\/ul>\n<\/li>\n
    • \n Host Names and MAC Addresses –<\/p>\n
        \n
      • aa:bb:cc:dd:ee:ff<\/li>\n
      • 00:11:22:33:44:55<\/li>\n
      • WINDOWS-LAPTOP-001<\/li>\n
      • DESKTOP-GP01<\/li>\n
      • GP-CLIENT<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

        Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit –<\/p>\n

          \n
        • endpoint_os_version : Microsoft Windows 10 Pro 64-bit<\/li>\n
        • source_user_info.domain : empty<\/li>\n<\/ul>\n

          Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CSIA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

          \ue804Ravie Lakshmanan\ue802Jun 15, 2026Vulnerability \/ VPN Security Palo Alto Networks has revealed that it has observed \u00abactive exploitation\u00bb of a recently disclosed PAN-OS vulnerability by an unknown threat actor to…<\/p>\n","protected":false},"author":1,"featured_media":1306,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[64,1536,65,70,1845,1535,1537,668,148],"class_list":["post-1305","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-active","tag-alto","tag-exploitation","tag-flaw","tag-globalprotect","tag-palo","tag-panos","tag-vpn","tag-warns"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1305"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1305\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1306"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}