In late May and early June 2026, Arctic Wolf began observing increased exploitation of CVE-2026-0257, a high-severity authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect and Prisma Access.
The increase in CVE-2026-0257 exploitation began on May 30, 2026, following a smaller initial wave that had taken place between May 17 and May 21. Initial exploitation activity was consistent in some respects with behavior initially reported on by Rapid7, where a variable number of authentication failures were followed by successful authentication. In contrast with the original cluster of activity described, Arctic Wolf observed a set of intrusions with follow-on Impacket activity soon after VPN tunnel establishment.
Arctic Wolf is sharing technical details from this campaign to help defenders identify similar activity and hunt for related indicators of compromise in PAN-OS deployments.
CVE-2026-0257 is an authentication bypass vulnerability that allows remote, unauthenticated threat actors to forge GlobalProtect authentication override cookies and establish unauthorized VPN sessions when three configuration conditions are met:
CVE-2026-0257 was first publicly disclosed by Palo Alto Networks on May 13, 2026, via a security advisory. The vulnerability was initially assigned a CVSS score of 4.7 (medium). However, on May 29, 2026, after Rapid7 published its technical analysis and a working proof-of-concept script, Palo Alto Networks revised the CVSS score upward to 7.8 (high). That same day, CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog.
In May 2026, the initial wave of suspicious cookie-based admin login activity from virtual private server (VPS) hosting providers appears to have begun on the 17th, with low volume continuing until the 21st. During this phase of the campaign, suspicious login activity was tied to two IP addresses: 104.207.144[.]154 and 179.43.172[.]213. These two IP addresses were not observed again following the 21st.
The next wave of exploitation began on May 30, 2026, where a notable uptick in activity was observed involving a variety of ASNs. The source infrastructure utilized throughout this phase was broad, spanning across numerous ASNs, including DigitalOcean, The Constant Company, Hivelocity, Clouvider, BL Networks, M247, Frantech Solutions, and others.
Figure 1: Suspicious admin logins on GlobalProtect devices from VPS hosting IP space between May 17, 2026 and June 9, 2026.
Exploitation was observed across a variety of sectors, including insurance, finance, manufacturing, education, engineering, and healthcare. Impacted organizations were located in Europe and North America, with the heaviest concentration in the United States. The pattern of exploitation showed signs of being opportunistic, with successful logins spanning across hundreds of devices in an assortment of sectors rather than being limited to a narrow targeting criteria.
Observed activity targeted the admin account primarily. Additionally, we identified kali as a device name artifact, which strongly suggested the direct use of Kali Linux offensive tooling by at least a subset of the operators involved in this campaign. Additional device names included generic DESKTOP– prefixed names, GP-CLIENT, and several others. In contrast with the earlier activity observed by Rapid7, MAC spoofing was not consistently observed across all intrusions.
The exploitation activity observed across multiple intrusions followed a consistent sequence of events that were similar to Rapid7’s published proof-of-concept behavior.
The broadest pattern observed by Arctic Wolf was successful suspicious cookie-based authentication against GlobalProtect portals and gateways, predominately from VPS hosting providers. The activity often included combinations of the following GlobalProtect events:
In some instances, authentication failures were caused by cookie handling errors such as Cannot decrypt cookie, followed quickly by successful cookie-based authentication. However, this error message was not universally observed across all intrusions.
In several cases, the activity included repeated authentication failures interspersed with SAML redirection events prior to eventual authentication success. This behavior suggested iterative authentication attempts or manipulation of the authentication workflow before successful session establishment.
However, successful GlobalProtect authentication events alone did not necessarily mean threat actors proceeded to move laterally within victim environments. Follow-on activity typically involved tunnel establishment and assigning a client IP address.
While threat actors generated successful authentication activity, only a subset of observed intrusions progressed beyond authentication activity into full VPN session establishment.
In cases of successful authentication, additional gateway and tunnel establishment events typically followed, including:
These events indicated that the client successfully authenticated to the GlobalProtect gateway and established a functional VPN tunnel, resulting in network-level access to the internal environment.
Figure 2: Event sequence from a representative intrusion with successful VPN tunnel establishment. (NOTE: The remote IP address shown here belongs to the attacker.)
In a representative intrusion, within a few seconds, the same remote IP generated a cookie-based portal-auth failure with Cannot decrypt cookie, successfully authenticated as admin, retrieved portal and gateway configuration, registered with the gateway, and completed gateway-setup-ipsec before reaching gateway-connected.
In some instances we observed gateway-setup-ssl failure events from suspicious IP addresses. Palo Alto documentation states that GlobalProtect clients preferentially attempt IPsec tunnel establishment and may automatically fall back to SSL VPN transport if IPSec negotiation fails or is unavailable. However, we did not identify any successful SSL-VPN connection across the activity we reviewed; successfully established tunnels we observed were limited to IPsec.
In a subset of investigated intrusions, successful VPN session establishment was quickly followed by an SMB session setup request and automated internal SMB reconnaissance consistent with Impacket tooling. The threat actor conducted limited internal network scanning, including network share enumeration and domain user discovery. In some instances, the SMB activity followed GlobalProtect gateway-connected events within a minute.
In situations where follow-on activities occurred, affected hosts initiated rapid SMB authentication and session negotiation activity. The authentication traffic leveraged NTLM negotiation and repeatedly attempted access using the admin account, likely intended to identify reachable systems and test potential authentication pathways within the environment.
Figure 3: A selection of NTLM authentication events in rapid succession from a representative intrusion.
In some environments, within minutes of a gateway-connected event, internal network discovery was conducted, including NTLM anonymous logon attempts consistent with host and service discovery.
Despite evidence of successful post-authentication access in a handful of intrusions, observed follow-on activity remained limited. Across investigated cases, the activity did not progress substantially beyond the initial SMB session setup and lightweight reconnaissance behavior commonly associated with Impacket tooling.
Arctic Wolf identified and disrupted the activity before the threat actors could establish persistence or conduct broader post-compromise operations within affected environments.
Notably, this post-exploitation activity differed from the majority of observed intrusion attempts, which primarily consisted of repeated GlobalProtect authentication failures and limited portal or gateway authentication activity without clear evidence of successful VPN tunnel establishment or subsequent internal network interaction.
The observed activity associated with CVE-2026-0257 demonstrated that, under vulnerable configurations, threat actors were able to successfully interact with and, in some cases, abuse the GlobalProtect authentication workflow to establish unauthorized VPN access.
Across investigated intrusions, most activity was limited to repeated authentication attempts and intermittent successful portal or gateway authentication activity without clear evidence of successful post-authentication operations. However, a smaller subset of intrusions progressed further into authenticated VPN session establishment and limited internal network interaction.
In cases where VPN connectivity was successfully established, Arctic Wolf observed immediate follow-on activity consistent with Impacket tooling, including SMB session setup requests, NTLM anonymous logon activity, network share enumeration, and limited domain user discovery. The rapid transition from VPN session establishment to internal reconnaissance strongly suggested the threat actors intended to leverage unauthorized VPN access as an initial foothold for subsequent post-compromise operations.
For defenders, the priority should be to identify which suspicious GlobalProtect sessions from IP space associated with VPS hosting became working tunnels and then determine what those tunnel IPs did next. Arctic Wolf has detections in place for the activities observed in this campaign through our Managed Detection and Response service.
Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers. We have leveraged threat intelligence around this campaign to enhance detections in the Arctic Wolf® Managed Detection and Response (MDR) service, subject to the customer environment and available telemetry. Customers in scope of this campaign have been notified; detections and response recommendations have been deployed to affected accounts.
As we track this campaign and discover new information, we may further refine our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the threat actors behind this malicious activity.
Defenders should focus on authentication anomalies combined with unexpected VPN session establishment from non-corporate infrastructure. These are the earliest high-signal indicators.
Focus on rapid automated activity immediately following VPN session establishment.
Focus on source IP infrastructure and session characteristics that deviate from expected corporate VPN usage.
For additional Appendix sections referenced in this report, please see our public GitHub repository.
Legal disclaimer: Attribution reflects Arctic Wolf Labs’ assessment as of the report period and may evolve with new evidence. References to threat actor identity, nexus, and intent are analytical judgments, not statements of legal fact. This alert is provided for informational purposes only and does not constitute a guarantee of detection or prevention. Defensive effectiveness varies by environment, configuration, and available telemetry.
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.
Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。