Network security giant **Palo Alto Networks** has confirmed observing active exploitation of a recently disclosed vulnerability within its **PAN-OS GlobalProtect** portals. An unknown threat actor is leveraging this flaw to establish unauthorized VPN connections. The vulnerability, identified as **CVE-2026-0257**, carries a CVSS score of 7.8. It is an authentication bypass defect affecting both the portal and gateway components of **PAN-OS** software. Successful exploitation allows malicious actors to circumvent security controls and initiate VPN sessions. ### Exploitation in the Wild Limited attacks exploiting **CVE-2026-0257** were first detected on May 17, 2026. While the identity of the threat actor remains unknown, **Palo Alto Networks**' **Unit 42** research team is actively monitoring the situation. "No post-access behavior or lateral movement has been identified as of this time," **Palo Alto Networks** stated. "Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events." ### Indicators of Compromise (IoCs) To aid in detection and mitigation, **Palo Alto Networks** has released a list of IoCs associated with the observed activity: * **IP Addresses**: * 23.128.228[.]6 * 104.207.144[.]154 * 146.19.216[.]119 * 146.19.216[.]120 * 146.19.216[.]125 * 179.43.172[.]213 * 185.195.232[.]139 * 198.12.106[.]60 * 202.144.192[.]47 * **Host Names and MAC Addresses** (from potential proof-of-concept exploits): * aa:bb:cc:dd:ee:ff * 00:11:22:33:44:55 * WINDOWS-LAPTOP-001 * DESKTOP-GP01 * GP-CLIENT Customers are also advised to search their **GlobalProtect** logs for successful gateway-connected events that match specific hard-coded client configuration values from a known proof-of-concept (PoC) exploit: * `endpoint_os_version`: Microsoft Windows 10 Pro 64-bit * `source_user_info.domain`: empty ### Urgent Mitigation Required The severity of **CVE-2026-0257** led the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** to add it to its **Known Exploited Vulnerabilities (KEV)** catalog. **CISA** has mandated that Federal Civilian Executive Branch (FCEB) agencies mitigate this flaw by June 1, 2026, underscoring the critical need for all organizations utilizing affected **GlobalProtect** instances to apply patches immediately.