PAN-OS GlobalProtect CVE-2026-0257 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A CVE-2026-0257 exploitation wave is hitting Palo Alto Networks PAN-OS GlobalProtect appliances, creating unauthorized VPN access risk for multiple customers. Rapid7 said the activity came in two waves starting May 18 and May 21, likely from the same actor, and it observed successful exploitation via forged cookies. CISA added the flaw to the KEV Catalog, and federal civilian agencies must patch by June 1.
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
How related:
Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit -
About this happening:
Palo Alto Networks is urging GlobalProtect customers to search logs for successful gateway-connected events tied to CVE-2026-0257, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationHow related: Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit -
About this happening: Palo Alto Networks is urging GlobalProtect customers to search logs for successful gateway-connected events tied to CVE-2026-0257, a step that can expose possible unau...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
CVE-2026-50751 is an active exploitation wave against Check Point Remote Access VPN and Mobile Access deployments that use deprecated IKEv1. The flaw is an a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: CVE-2026-50751 is an active exploitation wave against Check Point Remote Access VPN and Mobile Access deployments that use deprecated IKEv1. The flaw is an a...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
Vulnerability
H score47
First: 08.06.2026 16:05
Last: 08.06.2026 16:05
Sources 1
About this happening:
Check Point warned that CVE-2026-50751 is a critical authentication bypass in Remote Access VPN and Mobile Access deployments using deprecated IKEv1, letti...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
VulnerabilityAbout this happening: Check Point warned that CVE-2026-50751 is a critical authentication bypass in Remote Access VPN and Mobile Access deployments using deprecated IKEv1, letti...
CISA KEV order for SolarWinds Serv-U CVE-2026-28318
Public Sector Action
H score50
First: 06.06.2026 11:14
Last: 06.06.2026 11:14
Sources 1
About this happening:
CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the KEV catalog and ordered FCEB agencies to remediate it by June 19, 2026. The directive expands...
CISA KEV order for SolarWinds Serv-U CVE-2026-28318
Public Sector ActionAbout this happening: CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the KEV catalog and ordered FCEB agencies to remediate it by June 19, 2026. The directive expands...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of CVE-2026-45247 is hitting Mirasvit Cache Warmer on Magento stores, with malicious requests carrying serialized PHP payloads that can lead to r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of CVE-2026-45247 is hitting Mirasvit Cache Warmer on Magento stores, with malicious requests carrying serialized PHP payloads that can lead to r...
Timeline
-
01.06.2026 11:30 1 articles · 1mo ago
Forged-cookie exploitation begins against Palo Alto Networks PAN-OS GlobalProtect
Exploitation ObservedRapid7 said the first exploitation wave against Palo Alto Networks PAN-OS GlobalProtect appliances began on May 18, using authentication probes with forged cookies to bypass the GlobalProtect portal and gateway and gain unauthorized VPN access on affected devices.
Show sources
- Palo Alto Warns High-Severity Bug Is Being Actively Exploited — www.infosecurity-magazine.com — 01.06.2026 11:30
-
01.06.2026 11:30 1 articles · 1mo ago
Second forged-cookie exploitation wave hits Palo Alto Networks PAN-OS GlobalProtect
Exploitation ObservedRapid7 said a second exploitation wave against Palo Alto Networks PAN-OS GlobalProtect appliances began on May 21 and again used forged cookies against the affected GlobalProtect portal and gateway.
Show sources
- Palo Alto Warns High-Severity Bug Is Being Actively Exploited — www.infosecurity-magazine.com — 01.06.2026 11:30
-
01.06.2026 11:30 3 articles · 1mo ago
Palo Alto Networks warns of active CVE-2026-0257 exploitation and CISA adds it to KEV
Initial DisclosurePalo Alto Networks said it had become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied after publishing the update on May 13, while Rapid7 said CVE-2026-0257 had been exploited in two waves across multiple customers, with VPN IP assignment following cookie authentication and 8 out of 10 impacted MDR customers accepting the cookie without a full VPN session. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities Catalog and required federal civilian agencies to patch it by June 1.
Show sources
- Palo Alto Warns High-Severity Bug Is Being Actively Exploited — www.infosecurity-magazine.com — 01.06.2026 11:30
- Palo Alto Warns High-Severity Bug Is Being Actively Exploited — www.infosecurity-magazine.com — 01.06.2026 11:30
- Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw — thehackernews.com — 15.06.2026 09:17