惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
IT之家
IT之家
S
SegmentFault 最新的问题
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
J
Java Code Geeks
博客园 - 聂微东
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
The Cloudflare Blog
博客园_首页
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 【当耐特】
腾讯CDC
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
宝玉的分享
宝玉的分享
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
NISL@THU
NISL@THU
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
F
Fortinet All Blogs
博客园 - Franky
L
Lohrmann on Cybersecurity
S
Secure Thoughts
量子位
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
博客园 - 叶小钗
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LINUX DO - 最新话题
I
InfoQ
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
G
GRAHAM CLULEY
Cisco Talos Blog
Cisco Talos Blog

Unit 42

TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development No Manners Here: The Ruthless Rise of The Gentlemen Ransomware Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation How We Added WebAuthn to a Browser-Based RDP Client Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration Threat Brief: Mitigating Large-Scale Credential Attacks Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE Inside the Modern SOC: The 72-Minute Race Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Trust No Skill: Integrity Verification for AI Agent Supply Chains Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility When “Hi, This Is IT” Comes Through Microsoft Teams The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Out of the Crypt: The Evolving Cyber Extortion Economy Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Paved With Intent: ROADtools and Nation-State Tactics in the Cloud Tracking TamperedChef Clusters via Certificate and Code Reuse Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Essential Data Sources for Detection Beyond the Endpoint That AI Extension Helping You Write Emails? It’s Reading Them First TGR-STA-1030: New Activity in Central and South America Frontier AI and the Future of Defense: Your Top Questions Answered Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Andy Piazza, Unit 42 · 2026-06-05 · via Unit 42

Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29.

No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events.

We advise organizations to proactively hunt for the indicators of the activity specified in this report and activate incident response protocols for any successful gateway-connected events linked to these indicators. Additionally, we strongly recommend reviewing the security advisory for CVE-2026-0257, following the available workarounds and mitigations or upgrading to a version that includes a fix for this issue.

For pre-Proof of Concept release (May 29, 2026) activities, search for these IP addresses in GlobalProtect logs to look for successful login connection:

  • 23.128.228[.]6
  • 104.207.144[.]154
  • 146.19.216[.]119
  • 146.19.216[.]120
  • 146.19.216[.]125
  • 179.43.172[.]213
  • 185.195.232[.]139
  • 198.12.106[.]60
  • 202.144.192[.]47

Search GlobalProtect logs for successful gateway-connected events from any IP address using suspicious host IDs or device names, including but not limited to:

  • aa:bb:cc:dd:ee:ff
  • 00:11:22:33:44:55
  • WINDOWS-LAPTOP-001
  • DESKTOP-GP01
  • GP-CLIENT

As part of post-PoC release monitoring, search GlobalProtect logs for successful gateway-connected events matching the following hard-coded client configuration values from the PoC code.

  • endpoint_os_version : Microsoft Windows 10 Pro 64-bit
  • source_user_info.domain : empty

We encourage organizations to consult the official Palo Alto Networks Security Advisory for additional details about the vulnerability, impacted products and configuration guidance. We also recommend reading Rapid7’s technical analysis about the exploitation activity they observed in the wild.

Palo Alto Networks Cortex Xpanse is able to identify publicly exposed PAN-OS gateways and GlobalProtect portals.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

We will update this threat brief as more relevant information becomes available.

The products listed below can help protect PANW customers against exploits targeting CVE-2026-0257.

Palo Alto Networks Product Protections for PAN-OS CVE-2026-0257

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107
  • South Korea: +82.080.467.8774

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering can identify known IP addresses associated with this activity as malicious.

Cortex AgentiX

Security analysts can use natural language to prompt the Cortex AgentiX Threat Intel agent to extract file indicators from this threat brief. They can then enrich them, check for sightings in their Cortex tenant and related alerts, and provide a quick summary of the impact to the organization.

Cortex XDR and XSIAM

Cortex XDR and XSIAM provide comprehensive protections for endpoint attacks. It helps block post-exploit activity with its Behavioral Threat Protection, AI-driven local analysis, cloud-based malware analysis and other security engines across Windows, Linux, and Mac systems.

Indicators of the Activity

IP Addresses

  • 23.128.228[.]6
  • 104.207.144[.]154
  • 146.19.216[.]119
  • 146.19.216[.]120
  • 146.19.216[.]125
  • 179.43.172[.]213
  • 185.195.232[.]139
  • 198.12.106[.]60
  • 202.144.192[.]47

Host Names and Mac Addresses

  • aa:bb:cc:dd:ee:ff
  • 00:11:22:33:44:55
  • WINDOWS-LAPTOP-001
  • DESKTOP-GP01
  • GP-CLIENT

Additional Resources

Updated June 9, 2026, at 11:45 a.m. PT to add XDR and XSIAM product coverage language.