Active Exploitation of Critical PAN-OS Auth Bypass (CVE-2026-0257) Detected in the Wild

Executive Summary

An unidentified threat actor is actively exploiting CVE-2026-0257, a critical authentication bypass vulnerability in Palo Alto Networks' PAN-OS software. The flaw resides in the GlobalProtect portal and gateway components, allowing an unauthenticated attacker to bypass all security controls and establish a VPN connection. Due to confirmed in-the-wild exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerability (KEV) catalog.

Unit 42 reports that while attackers are successfully probing devices and establishing VPN sessions, no subsequent lateral movement has been observed yet. However, the initial access gained is a significant foothold that could lead to broader network compromise. All organizations using affected PAN-OS versions are strongly advised to apply patches or recommended mitigations immediately and proactively hunt for signs of exploitation.

Vulnerability Details

CVE-2026-0257 is an authentication bypass vulnerability impacting the GlobalProtect features within PAN-OS. The technical root cause allows an attacker to send a specially crafted request to a vulnerable GlobalProtect gateway or portal, which tricks the system into granting a valid VPN session without any authentication credentials. This effectively renders authentication controls useless for the VPN service.

The attack vector is the network, and it requires no user interaction. An attacker only needs network access to the vulnerable GlobalProtect interface, which is often internet-facing, making the potential attack surface vast.

Affected Systems

This vulnerability affects multiple versions of PAN-OS software where the GlobalProtect gateway or portal is configured. Organizations must consult the official Palo Alto Networks security advisory for the definitive list of affected product versions and platforms. Key affected products include:

PAN-OS firewalls
Panorama M-Series or virtual appliances
GlobalProtect cloud service

Exploitation Status

Active, in-the-wild exploitation has been confirmed by Unit 42 and other security firms like Rapid7. The activity began prior to the public release of a Proof-of-Concept (PoC) exploit, with a notable increase in scanning and exploitation attempts after the PoC became available around May 29, 2026. The inclusion of CVE-2026-0257 in the CISA KEV catalog on May 29, 2026, underscores the urgency and widespread nature of the threat.

Impact Assessment

Successful exploitation of CVE-2026-0257 grants an attacker an authenticated session on the corporate VPN. This provides a trusted entry point into the internal network, bypassing a critical layer of perimeter defense. The business impact could be severe, including:

Initial Access: Attackers gain a foothold within the network, from which they can conduct reconnaissance and plan further attacks.
Data Exfiltration: Once inside, attackers can potentially access and steal sensitive corporate data, intellectual property, and customer information.
Lateral Movement: The VPN access can be used as a launchpad for lateral movement to other systems, deployment of malware, or ransomware attacks.
Reputational Damage: A breach originating from a compromised security appliance can lead to significant loss of customer trust and reputational harm.

While Unit 42 has not yet observed post-access behavior, security teams must assume that attackers will leverage this access for malicious purposes.

IOCs — Directly from Articles

The source article advises searching for specific indicators but does not provide a concrete list of IPs, domains, or hashes. Organizations are advised to monitor for suspicious patterns as described in the detection section.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns that could indicate related activity:

Type

Log Event

Value

gateway-connected

Description

Search GlobalProtect logs for successful connections from unusual or non-corporate IP addresses.

Type

Log Pattern

Value

Suspicious Host IDs/Device Names

Description

Monitor for login events with unusual client device names, especially those matching patterns from public PoC tools.

Type

Network Traffic

Value

Anomalous Data Transfer

Description

Monitor VPN sessions for unusual data transfer volumes or connections to known malicious destinations.

Type

Log Source

Value

GlobalProtect Logs

Description

Ensure logging is enabled and ingested into a SIEM for correlation and analysis.

Detection & Response

Security Operations Centers (SOCs) should immediately implement detection rules and hunting queries to identify exploitation of CVE-2026-0257.

Log Analysis (D3-LPA):
- Query GlobalProtect logs for successful gateway-connected events.
- Scrutinize the source IP, username (if available), and device name for any anomalies.
- Create alerts for successful connections from IPs with no prior history of connecting to the VPN.
- Look for connections that use hard-coded client configuration values found in public PoC code.
Network Traffic Analysis (D3-NTA):
- Monitor traffic to and from the GlobalProtect management interface. Baseline normal traffic patterns and alert on deviations.
- Use tools like Palo Alto Networks Cortex Xpanse to identify all publicly exposed PAN-OS gateways and portals.
Incident Response:
- If a successful exploitation is identified, immediately activate incident response protocols.
- Isolate the affected device if possible.
- Terminate the suspicious VPN session.
- Preserve logs and forensic artifacts from the firewall.
- Begin an internal investigation to determine if any post-exploitation activity occurred.

Mitigation

Immediate action is required to mitigate this vulnerability. Organizations should prioritize the following steps:

Patching (D3-SU): The most effective mitigation is to upgrade to a patched version of PAN-OS as detailed in the Palo Alto Networks security advisory. This should be the top priority. M1051 - Update Software
Apply Workarounds: If patching is not immediately feasible, apply the workarounds and mitigations provided by Palo Alto Networks. These may involve specific configuration changes to restrict access or disable certain features. M1054 - Software Configuration
Restrict Access (D3-ITF): Limit access to the GlobalProtect portal and gateway management interfaces to only trusted IP addresses and administrative networks. Do not expose these interfaces to the public internet unless absolutely necessary. M1035 - Limit Access to Resource Over Network
Enable Threat Prevention: Utilize Palo Alto Networks Threat Prevention subscriptions and Advanced URL Filtering to block known malicious IP addresses associated with this activity. M1031 - Network Intrusion Prevention

Immediately prioritize the deployment of patched PAN-OS versions provided by Palo Alto Networks. This is the most effective defense against CVE-2026-0257. Create a risk-based deployment plan, starting with internet-facing GlobalProtect gateways, which are at the highest risk. Establish a testing protocol in a staging environment to ensure the patch does not disrupt business operations, but accelerate the emergency change control process due to the active exploitation. Use asset management systems and tools like Cortex Xpanse to ensure all vulnerable instances are identified and tracked through the patching lifecycle. Verify successful patching by checking the PAN-OS version on each device post-deployment. If patching is delayed, this technique's objective must be met with compensating controls.

Unit 42 Reports Active Exploitation of PAN-OS CVE-2026-0257 Authentication Bypass Vulnerability