PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Enables Unauthorized VPN Access Under Active Exploitation
What It Is – Palo Alto Networks disclosed a medium‑severity authentication bypass flaw in PAN‑OS and Prisma Access (CVE‑2026‑0257). The bug allows an unauthenticated remote user to establish a GlobalProtect VPN tunnel and gain network access as a legitimate client.
Exploitability – Threat intel confirms the vulnerability is being actively exploited in the wild. Public PoCs have surfaced, and the CVSS v3.1 base score is 7.8 (High).
Affected Products – PAN‑OS 10.2.x‑10.3.x, GlobalProtect client, and Prisma Access cloud‑delivered firewall services.
TPRM Impact – Third‑party risk teams must treat any organization that relies on Palo Alto GlobalProtect as a potential attack surface. A compromised VPN can be leveraged to pivot into downstream SaaS, on‑premise systems, or data warehouses, amplifying supply‑chain exposure.
Recommended Actions –
- Verify you are running a patched PAN‑OS version (10.2.12, 10.3.9, or later) and apply the vendor‑released hotfix immediately.
- Enforce MFA for GlobalProtect authentication and disable any legacy authentication methods.
- Review VPN logs for anomalous tunnel creations, especially from unexpected source IPs or geographic regions.
- Conduct a rapid risk assessment of any third‑party services accessed via the VPN to identify lateral movement pathways.
- Update your TPRM inventory to flag Palo Alto Networks as a critical security control and monitor for future advisories.
Source: The Hacker News