Skip to content
Auto-CTI
Back to all deep dives
UNIT 42

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Strategic summary

Unit 42 observed active exploitation of the PAN-OS vulnerability CVE-2026-0257, which allows an authentication bypass in GlobalProtect. The vulnerability has been added to the Known Exploited Vulnerabilities catalog, but no lateral movement or post-access activity has been detected so far. Organizations should hunt for provided indicators, activate incident response for successful connections, and apply available patches or workarounds.

Key findings

  • Active exploitation of CVE-2026-0257 enables unauthorized VPN connections via GlobalProtect
  • No lateral movement observed yet, only a small number of successful connections noted
  • Suspicious host IDs and device names (e.g., aa:bb:cc:dd:ee:ff, WINDOWS-LAPTOP-001) and specific IP addresses identified as IoCs
  • Post-PoC monitoring required for hardcoded client values like 'Microsoft Windows 10 Pro 64-bit' and empty domain
  • Recommendation: Review logs, patch or mitigate vulnerability, use Cortex Xpanse to identify exposed systems
ESC