Palo Alto Confirms Active Exploitation of CVE-2026-0257 in GlobalProtect Portals Since May 17

Palo Alto observed nine IPs probing GlobalProtect portals and gateways, with only a subset completing sessions using hardcoded client values including empty domain fields and specific MAC addresses such as aa:bb:cc:dd:ee:ff. No lateral movement or post-access activity has been detected in the initial wave. The flaw permits unauthorized VPN initiation without valid credentials, affecting widely deployed enterprise portals.

CISA added the CVE to its Known Exploited Vulnerabilities catalog and mandated FCEB mitigation by 1 June 2026. Procurement records show GlobalProtect remains standard in federal and defense contractor networks despite prior PAN-OS gateway issues. The limited session success rate suggests attackers are testing reach rather than mass compromise, consistent with pre-positioning patterns seen in other VPN supply chains.

Independent verification of the listed IoCs against public scan datasets shows consistent targeting of exposed portals rather than random noise. Official statements stop at unknown actor status; contract and incident data indicate repeated focus on VPN perimeters by actors seeking persistent remote access. Agencies that delayed patching after the KEV listing face elevated risk of undetected gateway-connected events.

Customers must audit GlobalProtect logs for the listed endpoint_os_version strings and MACs immediately. Next indicators will likely surface in procurement-driven telemetry from managed service providers rather than public disclosures.