HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs

Palo Alto Networks’ PAN‑OS authentication‑bypass flaw (CVE‑2026‑0257) is being actively exploited to create unauthorized GlobalProtect VPN connections. The issue impacts any organization using vulnerable PAN‑OS firewalls, creating a supply‑chain risk for third‑party risk managers.

LiveThreat™ Intelligence · 📅 June 06, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
unit42.paloaltonetworks.com

Active Exploitation of PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs

What It Is – Palo Alto Networks’ PAN‑OS contains an authentication‑bypass flaw in the portal and gateway components (CVE‑2026‑0257). The vulnerability lets an unauthenticated actor establish a GlobalProtect VPN session and bypass security controls.

Exploitability – Unit 42 observed active exploitation in the wild; proof‑of‑concept code is publicly referenced and the CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. No public CVSS score is yet published, but the active‑exploitation status and potential for full network access merit a High severity rating.

Affected Products – PAN‑OS versions prior to the vendor‑released fix (all GlobalProtect‑enabled firewalls and portals).

TPRM Impact – Organizations that rely on Palo Alto firewalls as a security control or VPN gateway face a supply‑chain risk: an attacker can gain direct, encrypted access to internal resources, potentially bypassing downstream security tooling and exposing data.

Recommended Actions

  • Upgrade all PAN‑OS devices to the version that includes the CVE‑2026‑0257 fix.
  • Apply the vendor‑provided workarounds (e.g., restrict portal access, enforce MFA on GlobalProtect).
  • Hunt for the listed IOCs (IP addresses, MACs, hostnames) in GlobalProtect logs and trigger incident response for any matches.
  • Deploy Cortex Xpanse or similar external‑attack‑surface tools to identify exposed gateways.
  • Review and tighten VPN segmentation and least‑privilege access policies.

Source: Palo Alto Unit 42 Threat Brief – Active Exploitation of PAN‑OS CVE‑2026‑0257

📰 Original Source
https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →