# [CRIT] Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 **Source:** Unit 42 (Palo Alto) **Published:** 2026-06-09 **Article:** https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/ ## Threat Profile Threat Research Center High Profile Threats Vulnerabilities Vulnerabilities Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 2 min read Related Products Advanced URL Filtering Cortex Cortex Xpanse GlobalProtect Next-Generation Firewall By: Andy Piazza Unit 42 Published: June 5, 2026 Categories: High Profile Threats Vulnerabilities Tags: CVE-2026-0257 Vulnerability Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an uniden… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-0257` - **IPv4 (defanged):** `23.128.228.6` - **IPv4 (defanged):** `104.207.144.154` - **IPv4 (defanged):** `146.19.216.119` - **IPv4 (defanged):** `146.19.216.120` - **IPv4 (defanged):** `146.19.216.125` - **IPv4 (defanged):** `179.43.172.213` - **IPv4 (defanged):** `185.195.232.139` - **IPv4 (defanged):** `198.12.106.60` - **IPv4 (defanged):** `202.144.192.47` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1071** — Application Layer Protocol - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1219** — Remote Access Software - **T1133** — External Remote Services - **T1078** — Valid Accounts - **T1556** — Modify Authentication Process ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### GlobalProtect successful login from CVE-2026-0257 pre-PoC exploitation IPs `UC_126_6` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where Network_Traffic.All_Traffic.app="panos-global-protect" Network_Traffic.All_Traffic.action="allowed" Network_Traffic.All_Traffic.src IN ("23.128.228.6","104.207.144.154","146.19.216.119","146.19.216.120","146.19.216.125","179.43.172.213","185.195.232.139","198.12.106.60","202.144.192.47") by Network_Traffic.All_Traffic.src Network_Traffic.All_Traffic.dest Network_Traffic.All_Traffic.user Network_Traffic.All_Traffic.dest_port | `drop_dm_object_name("Network_Traffic.All_Traffic")` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteIP in ("23.128.228.6","104.207.144.154","146.19.216.119","146.19.216.120","146.19.216.125","179.43.172.213","185.195.232.139","198.12.106.60","202.144.192.47") or LocalIP in ("23.128.228.6","104.207.144.154","146.19.216.119","146.19.216.120","146.19.216.125","179.43.172.213","185.195.232.139","198.12.106.60","202.144.192.47") | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### GlobalProtect connection with PoC-spoofed host-ID, MAC, or device name `UC_126_7` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl `pan_globalprotect` (event_id="gateway-connected" OR event_id="GlobalProtect connected" OR log_subtype="gateway-connect") (host_id="aa:bb:cc:dd:ee:ff" OR host_id="00:11:22:33:44:55" OR machine_name="WINDOWS-LAPTOP-001" OR machine_name="DESKTOP-GP01" OR machine_name="GP-CLIENT" OR src_host="WINDOWS-LAPTOP-001" OR src_host="DESKTOP-GP01" OR src_host="GP-CLIENT") | stats earliest(_time) as firstTime latest(_time) as lastTime values(src_ip) as src_ips values(src_user) as users values(host_id) as host_ids values(machine_name) as machines count by src_user | convert ctime(firstTime) ctime(lastTime) | where count >= 1 ``` **Defender KQL:** ```kql DeviceInfo | where Timestamp > ago(30d) | summarize LastSeen = max(Timestamp), DeviceCount = dcount(DeviceId) by DeviceName | where DeviceName in~ ("WINDOWS-LAPTOP-001","DESKTOP-GP01","GP-CLIENT") | project DeviceName, LastSeen, DeviceCount ``` ### GlobalProtect connection with PoC client fingerprint: Win10 Pro 64-bit + empty d `UC_126_8` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl `pan_globalprotect` (event_id="gateway-connected" OR event_id="GlobalProtect connected" OR log_subtype="gateway-connect") endpoint_os_version="Microsoft Windows 10 Pro 64-bit" (source_user_info.domain="" OR NOT source_user_info.domain=*) | stats earliest(_time) as firstTime latest(_time) as lastTime values(src_ip) as src_ips values(host_id) as host_ids values(machine_name) as machines count by src_user endpoint_os_version | convert ctime(firstTime) ctime(lastTime) | where count >= 1 ``` **Defender KQL:** ```kql DeviceInfo | where Timestamp > ago(7d) | where OSPlatform =~ "Windows10" and OSVersion has "Pro" | where isempty(LoggedOnUsers) or LoggedOnUsers !has "domain" | summarize LastSeen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, OSVersion, JoinType | where JoinType !in~ ("AzureAD","Hybrid","Domain") | project LastSeen, DeviceName, OSPlatform, OSVersion, JoinType ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `23.128.228.6`, `104.207.144.154`, `146.19.216.119`, `146.19.216.120`, `146.19.216.125`, `179.43.172.213`, `185.195.232.139`, `198.12.106.60` _(+1 more)_ - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-0257` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 9 use case(s) fired, 12 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.