Issuer: Adverse Trace Date issued: 2026-06-05 Version: 1.0
1. Executive summary
Active exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect, has been confirmed by Unit 42 and third-party researchers. The vulnerability allows unauthenticated remote actors to establish VPN sessions by forging authentication override cookies, specifically in environments where HTTPS service certificates and authentication cookies share the same trust context. While post-exploitation lateral movement has not yet been broadly observed, successful initial access grants attackers a foothold inside the network perimeter. EMEA financial institutions must treat this as a critical priority under DORA Article 17 due to the direct risk to network integrity and the presence of this CVE in the CISA Known Exploited Vulnerabilities (KEV) catalog.
2. Regulatory framing
| Regulation | Article | Practical Impact for Financial Entities |
|---|---|---|
| DORA | Art. 17 | Mandates immediate implementation of patching/mitigation strategies for identified vulnerabilities with known active exploitation. |
| DORA | Art. 19 | Requires logging and monitoring of the specific GlobalProtect authentication events and IP addresses listed in Section 5. |
| DORA | Art. 28-30 | Triggers potential ICT incident reporting obligations if successful exploitation leads to data compromise or service disruption. |
| NIS2 | Art. 21(2)(d) | Requires supply chain security measures; entities must verify if their PAN-OS versions are patched given the vendor's urgent advisory. |
| NIS2 | Art. 23 | Mandates notification to competent authorities if the exploitation results in a significant incident affecting service continuity. |
3. Attack chain
- Reconnaissance: Attacker identifies internet-facing PAN-OS devices running vulnerable versions with GlobalProtect enabled.
- Exploitation: Attacker generates a forged authentication override cookie. This is successful where the device configuration uses the same certificate for HTTPS services and authentication override cookies.
- Initial Access: Attacker submits the forged cookie to the GlobalProtect portal/gateway, bypassing authentication controls.
- Session Establishment: The firewall accepts the cookie as legitimate, establishing an unauthorized VPN session and assigning an internal VPN IP address to the attacker.
Unconfirmed steps: While Rapid7 and Unit 42 have confirmed successful VPN session establishment across multiple customer environments, there is currently no confirmed evidence of widespread post-exploitation lateral movement or data exfiltration in the investigated incidents. However, the capability for lateral movement exists once the VPN tunnel is established. Attribution remains unknown; no specific threat actor group has been definitively linked to these campaigns.
4. Recommended actions
P1: Within 24 Hours (Immediate Containment & Hunting) * Patch/Mitigate: Upgrade PAN-OS to a fixed version immediately. If patching is not instantly feasible, apply the workaround specified in Palo Alto Security Advisory (disabling GlobalProtect or restricting management access) if operationally viable. * Log Hunting: Query GlobalProtect logs (GLOBALPROTECT subsystem) for successful gateway-auth or portal-auth events matching the IOCs in Section 5. * Search Query Logic: Filter for event_subtype equal to login AND status equal to success AND (src_ip IN [IOC List] OR host_id IN [Suspicious Host IDs]). * Session Termination: Immediately terminate any active VPN sessions associated with the identified IOCs or unknown source_user_info.
P2: Within 72 Hours (Validation & Hardening) * Configuration Review: Verify if Cloud Authentication Service (CAS) is disabled and if the same certificate is used for HTTPS and authentication override cookies. Decouple these certificates if possible to reduce blast radius. * Network Segmentation: Review firewall rules for hosts that successfully established VPN connections via GlobalProtect. Ensure strict segmentation limits lateral movement from the VPN zone to critical database or transaction zones. * Credential Reset: Force a password reset for any local admin accounts that show signs of cookie-based authentication in the logs.
P3: Within 7 Days (Resilience & Reporting) * Incident Reporting: If hunting confirms successful unauthorized access, initiate internal incident response procedures and prepare notifications for competent authorities under DORA Article 28 and NIS2 Article 23. * Supply Chain Audit: Confirm patch levels of all third-party managed PAN-OS instances within the organization's ecosystem.
5. Indicators of compromise
| Type | Value | Confidence | Source |
|---|---|---|---|
| IP Address | 23.128.228[.]6 |
High | Unit 42 / Palo Alto Networks |
| IP Address | 104.207.144[.]154 |
High | Unit 42 / Rapid7 |
| IP Address | 146.19.216[.]119 |
High | Unit 42 |
| IP Address | 146.19.216[.]120 |
High | Unit 42 |
| IP Address | 146.19.216[.]125 |
High | Unit 42 |
| IP Address | 179.43.172[.]213 |
High | Unit 42 |
| IP Address | 185.195.232[.]139 |
High | Unit 42 |
| IP Address | 198.12.106[.]60 |
High | Unit 42 |
| IP Address | 202.144.192[.]47 |
High | Unit 42 |
| Host ID / MAC | aa:bb:cc:dd:ee:ff |
High | Unit 42 / Rapid7 |
| Host ID / MAC | 00:11:22:33:44:55 |
Medium | Unit 42 |
| Device Name | WINDOWS-LAPTOP-001 |
Medium | Unit 42 |
| Device Name | DESKTOP-GP01 |
Medium | Unit 42 |
| Device Name | GP-CLIENT |
Medium | Unit 42 |
| Config Value | endpoint_os_version: "Microsoft Windows 10 Pro 64-bit" (in PoC context) |
Medium | Unit 42 |
| Config Value | source_user_info.domain: empty |
Medium | Unit 42 |
6. Sources
- Palo Alto Networks Unit 42, "Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257", https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/, 2026-06-05.
- SecurityWeek, "Recent Palo Alto Networks Vulnerability Exploited for Weeks", https://www.securityweek.com/recent-palo-alto-networks-vulnerability-exploited-for-weeks/, 2026-06-05.
- BleepingComputer, "Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks", https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/, 2026-06-05.
- The Hacker News, "PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation", https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html, 2026-05-XX.
- The Register, "Palo Alto VPN bug graduates from advisory to active exploitation", https://www.theregister.com/cyber-crime/2026/06/01/palo-alto-vpn-bug-graduates-from-advisory-to-active-exploitation/5249114, 2026-06-01.
- Rapid7, "Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)", https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257, 2026-06-XX.
7. Adverse Trace position
Adverse Trace assesses the severity of CVE-2026-0257 as Critical for EMEA financial services, overriding the initial "Medium" CVSS score assigned by the vendor, due to confirmed active exploitation and its inclusion in the CISA KEV catalog. The risk is compounded by the vulnerability's location in the network perimeter (GlobalProtect), allowing unauthenticated access to internal resources. While lateral movement is not yet universally confirmed, the establishment of unauthorized VPN sessions constitutes a material breach of network integrity. We expect exploitation attempts to increase rapidly against unpatched estates. Clients must prioritize immediate patching or mitigation over routine maintenance windows.
Published via PulseTrace — Adverse Trace threat intelligence.