Active Exploitation of PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs
What It Is – Palo Alto Networks’ PAN‑OS contains an authentication‑bypass flaw in the portal and gateway components (CVE‑2026‑0257). The vulnerability lets an unauthenticated actor establish a GlobalProtect VPN session and bypass security controls.
Exploitability – Unit 42 observed active exploitation in the wild; proof‑of‑concept code is publicly referenced and the CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. No public CVSS score is yet published, but the active‑exploitation status and potential for full network access merit a High severity rating.
Affected Products – PAN‑OS versions prior to the vendor‑released fix (all GlobalProtect‑enabled firewalls and portals).
TPRM Impact – Organizations that rely on Palo Alto firewalls as a security control or VPN gateway face a supply‑chain risk: an attacker can gain direct, encrypted access to internal resources, potentially bypassing downstream security tooling and exposing data.
Recommended Actions –
- Upgrade all PAN‑OS devices to the version that includes the CVE‑2026‑0257 fix.
- Apply the vendor‑provided workarounds (e.g., restrict portal access, enforce MFA on GlobalProtect).
- Hunt for the listed IOCs (IP addresses, MACs, hostnames) in GlobalProtect logs and trigger incident response for any matches.
- Deploy Cortex Xpanse or similar external‑attack‑surface tools to identify exposed gateways.
- Review and tighten VPN segmentation and least‑privilege access policies.
Source: Palo Alto Unit 42 Threat Brief – Active Exploitation of PAN‑OS CVE‑2026‑0257