UNIT 42
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Strategic summary
Unit 42 observed active exploitation of the PAN-OS vulnerability CVE-2026-0257, which allows an authentication bypass in GlobalProtect. The vulnerability has been added to the Known Exploited Vulnerabilities catalog, but no lateral movement or post-access activity has been detected so far. Organizations should hunt for provided indicators, activate incident response for successful connections, and apply available patches or workarounds.
Key findings
- Active exploitation of CVE-2026-0257 enables unauthorized VPN connections via GlobalProtect
- No lateral movement observed yet, only a small number of successful connections noted
- Suspicious host IDs and device names (e.g., aa:bb:cc:dd:ee:ff, WINDOWS-LAPTOP-001) and specific IP addresses identified as IoCs
- Post-PoC monitoring required for hardcoded client values like 'Microsoft Windows 10 Pro 64-bit' and empty domain
- Recommendation: Review logs, patch or mitigate vulnerability, use Cortex Xpanse to identify exposed systems