Back to Blog
CVE-2026-0257: Palo Alto Networks PAN-OS — VPN Authentication Bypass Exploited (June 2026)
vulnerabilities

CVE-2026-0257: Palo Alto Networks PAN-OS — VPN Authentication Bypass Exploited (June 2026)

breachwire TeamJun 16, 20262 min read

CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect VPN

CVE-2026-0257 is a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect VPN portals and gateways. The flaw is under active exploitation as of mid-May 2026, enabling attackers to establish unauthorized VPN sessions without valid credentials. No post-access lateral movement has been observed, but the risk of unauthorized network entry is critical.

Attack Vector

Attackers exploit CVE-2026-0257 by targeting exposed GlobalProtect VPN portals and gateways, bypassing authentication controls to create unauthorized VPN sessions. Observed indicators of compromise (IOCs) include IP addresses such as 23.128.228.6, 104.207.144.154, and 146.19.216.119, as well as device identifiers like WINDOWS-LAPTOP-001 and DESKTOP-GP01. The threat actor requires network access to the VPN portal or gateway but does not need valid credentials. No evidence of lateral movement or privilege escalation has been detected so far.

Who Is at Risk

All organizations running vulnerable versions of Palo Alto Networks PAN-OS with GlobalProtect VPN portals or gateways exposed to the internet are at risk. Confirmed affected entities include Palo Alto Networks customers and U.S. Federal Civilian Executive Branch agencies. Devices that have been probed or accessed using the identified IOCs should be considered at high risk.

Patch & Mitigate

  • Patch: Apply the official PAN-OS security update addressing CVE-2026-0257 immediately. CISA mandates federal agencies to complete mitigation without delay.
  • Workaround: Restrict external access to GlobalProtect VPN portals and gateways where possible until patching is complete.
  • Detect: Review VPN logs for unauthorized session creation, especially from the listed IOCs and unusual device names (e.g., WINDOWS-LAPTOP-001, GP-CLIENT). Monitor for unexpected authentication events and access patterns.

MITRE ATT&CK

  • TA0001 — Initial Access: Attackers gain entry by exploiting exposed VPN infrastructure.
  • TA0003 — Persistence: Unauthorized VPN sessions may provide ongoing access until credentials or sessions are revoked.

Source: https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html

View Original Source

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article:

Related Articles

CVE-2025-8088: WinRAR — Silent Credential Theft & Espionage (June 2026)
vulnerabilities

CVE-2025-8088: WinRAR — Silent Credential Theft & Espionage (June 2026)

2 min read
CVE-2026-35273: Multi-Vendor UEFI Shim — Secure Boot Bypass Risk (June 2026)
vulnerabilities

CVE-2026-35273: Multi-Vendor UEFI Shim — Secure Boot Bypass Risk (June 2026)

2 min read
CVE-2026-20253: Splunk Enterprise — Unauthenticated RCE via PostgreSQL (June 2026)
vulnerabilities

CVE-2026-20253: Splunk Enterprise — Unauthenticated RCE via PostgreSQL (June 2026)

2 min read