Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

Palo Alto Networks is urging GlobalProtect customers to search logs for successful gateway-connected events tied to CVE-2026-0257, a step that can expose possible unauthorized VPN access. The guidance matches activity from hard-coded client configuration values used in a proof-of-concept (PoC) exploit. The flaw is an authentication bypass in PAN-OS portal and gateway components, and the company says it has seen active exploitation in limited attacks. Reviewing logs now can help operators identify whether their environments were touched by the abuse path.

Related Happenings

PAN-OS GlobalProtect CVE-2026-0257 exploitation wave

Exploitation Wave
H score18 First: 01.06.2026 11:30 Last: 01.06.2026 11:30 Sources 1

How related: Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals.

About this happening: A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...

Open Happening

PAN-OS / Prisma Access GlobalProtect authentication bypass (CVE-2026-0257, actively exploited)

Vulnerability
H score20 First: 30.05.2026 09:41 Last: 30.05.2026 09:41 Sources 1

How related: Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals.

About this happening: **PAN-OS** and **Prisma Access** are affected by **CVE-2026-0257**, an **authentication bypass** in the **GlobalProtect portal and gateway** that can let attackers establish an **...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
H score60 First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)

Vulnerability
H score41 First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

About this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...

Open Happening

TP-Link router authenticated command injection (CVE-2023-33538)

Vulnerability
H score39 First: 20.04.2026 10:50 Last: 20.04.2026 10:50 Sources 1

About this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...

Open Happening

Timeline

  1. 15.06.2026 09:17 1 articles · 2h ago

    Unknown threat actor exploits CVE-2026-0257 to access GlobalProtect portals

    Exploitation Observed

    Unknown threat actor exploited CVE-2026-0257, an authentication bypass in PAN-OS portal and gateway components, to obtain unauthorized access to GlobalProtect portals and initiate VPN connections. Palo Alto Networks said only a small portion of probed devices established VPN sessions and that no post-access behavior or lateral movement had been identified.

    Show sources
    Open in new tab
  2. 15.06.2026 09:17 2 articles · 2h ago

    Palo Alto Networks releases GlobalProtect IoCs and log-search guidance for CVE-2026-0257

    Detection Ioc Update

    Palo Alto Networks urged customers to search GlobalProtect logs for successful gateway-connected events matching hard-coded client configuration values from a PoC exploit, and it released related IoCs including IP addresses, host names, MAC addresses, and the client setting `endpoint_os_version : Microsoft Windows 10 Pro 64-bit`. The same report says CISA added CVE-2026-0257 to its KEV catalog and ordered FCEB agencies to mitigate the flaw by June 1, 2026.

    Show sources
    Open in new tab