Palo Alto Networks has issued a warning regarding active exploitation of a recently disclosed vulnerability affecting PAN OS software, confirming that an unidentified threat actor has been attempting to gain unauthorized access to GlobalProtect portals through the security flaw. The vulnerability, identified as CVE 2026 0257 and assigned a CVSS score of 7.8, impacts the portal and gateway components of PAN OS and has raised concerns among organizations relying on GlobalProtect Virtual Private Network infrastructure for secure remote connectivity. According to the network security company, the flaw enables authentication bypass, allowing malicious actors to potentially establish unauthorized VPN connections and gain access to protected environments.
Palo Alto Networks stated that the vulnerability can be exploited to bypass existing security controls and initiate VPN sessions through affected systems. The company disclosed that exploitation activity has already been detected in limited real world attacks, with the earliest known activity traced back to 17 May 2026. While the organization confirmed active exploitation attempts, it noted that the identity of the actor or group responsible remains unknown at this stage. Despite the observed activity, Palo Alto Networks reported that investigations have not identified evidence of post access malicious behavior or lateral movement within affected networks. According to the company, only a limited number of devices targeted during the attacks successfully established VPN sessions, resulting in gateway connected events rather than broader compromise scenarios.
As part of its advisory, Palo Alto Networks released multiple indicators of compromise linked to the activity in an effort to help organizations strengthen monitoring and detection capabilities. These indicators include suspicious IP addresses associated with exploitation attempts, alongside specific host names and Media Access Control addresses observed during the activity. The company also encouraged customers to closely review GlobalProtect logs for successful gateway connected events matching hard coded client configuration values identified in a publicly available proof of concept exploit. Security teams have specifically been advised to monitor entries containing endpoint operating system details listed as Microsoft Windows 10 Pro 64 bit and gateway activity where source user information domain fields appear empty, as these patterns may signal suspicious activity connected to exploitation attempts.
The disclosure comes as cybersecurity agencies continue to prioritize vulnerabilities actively exploited in operational environments. Late last month, U.S. Cybersecurity and Infrastructure Security Agency added CVE 2026 0257 to its Known Exploited Vulnerabilities catalog, highlighting the urgency of mitigation efforts for affected organizations. Federal Civilian Executive Branch agencies were instructed to address the vulnerability by 1 June 2026 in response to the potential security risks associated with exploitation. The warning from Palo Alto Networks underscores increasing concerns around VPN security and authentication bypass vulnerabilities, particularly as organizations continue to depend on remote access technologies to support distributed workforces and enterprise operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
