# [CRIT] Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw **Source:** The Hacker News **Published:** 2026-06-15 **Article:** https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html ## Threat Profile Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw  Ravie Lakshmanan  Jun 15, 2026 Vulnerability / VPN Security Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software t… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-0257` - **IPv4 (defanged):** `23.128.228.6` - **IPv4 (defanged):** `104.207.144.154` - **IPv4 (defanged):** `146.19.216.119` - **IPv4 (defanged):** `146.19.216.120` - **IPv4 (defanged):** `146.19.216.125` - **IPv4 (defanged):** `179.43.172.213` - **IPv4 (defanged):** `185.195.232.139` - **IPv4 (defanged):** `198.12.106.60` - **IPv4 (defanged):** `202.144.192.47` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1219** — Remote Access Software - **T1071** — Application Layer Protocol - **T1133** — External Remote Services - **T1036** — Masquerading ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### CVE-2026-0257 GlobalProtect PoC Client-Config Signature (Win10 Pro 64-bit + empty domain) `UC_66_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl `pan_globalprotect` event_type=gateway-connected endpoint_os_version="Microsoft Windows 10 Pro 64-bit" | eval domain_empty=if(isnull(source_user_info_domain) OR source_user_info_domain="" OR source_user_info_domain="-" OR source_user_info_domain=="empty", 1, 0) | where domain_empty=1 | stats min(_time) as firstTime max(_time) as lastTime count values(public_ip) as public_ip values(source_user) as source_user values(machinename) as machinename by src_ip endpoint_os_version source_user_info_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### GlobalProtect Gateway/Portal Traffic From CVE-2026-0257 Attack Infrastructure IPs `UC_66_6` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port values(All_Traffic.app) as app from datamodel=Network_Traffic where (All_Traffic.src in ("23.128.228.6","104.207.144.154","146.19.216.119","146.19.216.120","146.19.216.125","179.43.172.213","185.195.232.139","198.12.106.60","202.144.192.47") OR All_Traffic.dest in ("23.128.228.6","104.207.144.154","146.19.216.119","146.19.216.120","146.19.216.125","179.43.172.213","185.195.232.139","198.12.106.60","202.144.192.47")) by All_Traffic.src All_Traffic.dest All_Traffic.action All_Traffic.user | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql let MaliciousIPs = dynamic(['23.128.228.6','104.207.144.154','146.19.216.119','146.19.216.120','146.19.216.125','179.43.172.213','185.195.232.139','198.12.106.60','202.144.192.47']); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteIP in (MaliciousIPs) or LocalIP in (MaliciousIPs) | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### GlobalProtect Session With CVE-2026-0257 PoC Default Hostnames (WINDOWS-LAPTOP-001 / DESKTOP-GP01 / GP-CLIENT) `UC_66_7` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl `pan_globalprotect` event_type=gateway-connected (machinename="WINDOWS-LAPTOP-001" OR machinename="DESKTOP-GP01" OR machinename="GP-CLIENT" OR host_id="WINDOWS-LAPTOP-001" OR host_id="DESKTOP-GP01" OR host_id="GP-CLIENT") | stats min(_time) as firstTime max(_time) as lastTime count values(public_ip) as public_ip values(source_user) as source_user values(endpoint_os_version) as endpoint_os_version by machinename src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceInfo | where Timestamp > ago(7d) | where DeviceName in~ ('WINDOWS-LAPTOP-001', 'DESKTOP-GP01', 'GP-CLIENT') | project Timestamp, DeviceId, DeviceName, OSPlatform, OSVersion, PublicIP, LoggedOnUsers, IsAzureADJoined | order by Timestamp desc ``` ### GlobalProtect Session Reporting Vendor-Default Placeholder MAC Address `UC_66_8` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl `pan_globalprotect` event_type=gateway-connected (machine_mac="aa:bb:cc:dd:ee:ff" OR machine_mac="00:11:22:33:44:55" OR mac_address="aa:bb:cc:dd:ee:ff" OR mac_address="00:11:22:33:44:55") | stats min(_time) as firstTime max(_time) as lastTime count values(public_ip) as public_ip values(machinename) as machinename values(source_user) as source_user by machine_mac | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-0257` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `23.128.228.6`, `104.207.144.154`, `146.19.216.119`, `146.19.216.120`, `146.19.216.125`, `179.43.172.213`, `185.195.232.139`, `198.12.106.60` _(+1 more)_ ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 9 use case(s) fired, 9 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.