Palo Alto Networks has disclosed active exploitation of a high-severity authentication bypass vulnerability tracked as CVE-2026-0257, affecting the GlobalProtect Portal and Gateway components of PAN-OS.

According to Palo Alto Networks, threat actors have been observed exploiting the vulnerability in the wild to establish unauthorized VPN connections through vulnerable GlobalProtect deployments.

The company confirmed that exploitation activity was first identified on May 17, 2026, although attribution to a specific threat actor remains unknown.

Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerability

What can attackers do with the vulnerability?

An attacker can target a vulnerable GlobalProtect Portal or Gateway exposed to the internet and abuse the authentication bypass vulnerability to establish unauthorized VPN sessions without valid credentials.

Once connected, the attacker may gain access to internal network resources and leverage the trusted VPN connection to perform reconnaissance, credential harvesting, privilege escalation, lateral movement, or deploy additional malicious payloads.

Attackers can exploit the vulnerability to:

• Gain unauthorized access to internal corporate networks
• Bypass authentication of GlobalProtect VPN services
• Conduct reconnaissance of internal network and discover assets
• Steal credentials and cause compromise of accounts
• Access sensitive business applications and data
• Exfiltrate data
• Deploy ransomware
• Establish mechanisms for persistence after gaining access

SharkStriker recommendations

To reduce the risk associated with CVE-2026-0257, SharkStriker recommends implementing the following defensive measures:

Apply Security Updates Immediately

• Upgrade all affected PAN-OS systems to the latest vendor-recommended fixed versions.

Review Historical VPN Activity

Conduct a detailed review of GlobalProtect authentication logs and investigate:

• Unexpected VPN connections.
• New or unusual VPN users.
• Gateway-connected events.
• Connections originating from suspicious IP addresses.

Enforce Multi-Factor Authentication (MFA)

• Require MFA for all VPN users to reduce the risk of unauthorized access.

Restrict External Exposure

• Limit GlobalProtect access to trusted IP ranges, approved geographies, and authorized user groups wherever possible.

Hunt for Indicators of Compromise

Review logs for the following indicators released by Palo Alto Networks:

Observed Source IP Addresses

• 23.128.228.6
• 104.207.144.154
• 146.19.216.119
• 146.19.216.120
• 146.19.216.125
• 179.43.172.213
• 185.195.232.139
• 198.12.106.60
• 202.144.192.47

Observed Hostnames

• WINDOWS-LAPTOP-001
• DESKTOP-GP01
• GP-CLIENT

Monitor for Post-Compromise Activity

Investigate VPN-connected systems for:

• Internal reconnaissance.
• Credential access attempts.
• Privilege escalation activity.
• Lateral movement behavior.
• Suspicious PowerShell or command execution.

Strengthen Detection Coverage

• Ensure SIEM and EDR solutions generate alerts for:
• Unusual VPN authentication events.
• Authentication bypass indicators.
• High-risk remote access activity.
• Unauthorized network enumeration.
• Abnormal user behavior following VPN access.

Maintain Continuous Monitoring

Given the active exploitation status of CVE-2026-0257, organizations should maintain heightened monitoring of GlobalProtect infrastructure until remediation efforts have been fully validated.