CISA warns of active exploitation of PAN-OS GlobalProtect flaw CVE-2026-0257, enabling VPN auth bypass on vulnerable firewalls.

Continue reading
A high-severity authentication bypass vulnerability in PAN-OS GlobalProtect has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation.
The flaw, tracked as CVE-2026-0257, impacts Palo Alto Networks firewalls running vulnerable PAN-OS versions and can allow unauthenticated attackers to establish unauthorized VPN connections under specific configurations. Palo Alto Networks confirmed the issue in a security advisory published on May 13, 2026.
The vulnerability affects organizations using GlobalProtect Portal or Gateway with authentication override cookies enabled alongside a particular certificate configuration. Panorama and Cloud NGFW deployments are not impacted, according to the vendor.
Palo Alto Networks disclosed CVE-2026-0257 as an authentication bypass vulnerability affecting GlobalProtect, the company's remote-access VPN platform widely deployed across enterprise environments.
According to the vendor, successful exploitation can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection without valid authentication credentials. The flaw carries a CVSS score of 7.8.
The issue was publicly disclosed on May 13, 2026, and was later added to CISA's KEV catalogue following reports of exploitation activity.
The vulnerability affects multiple PAN-OS branches, including 10.2, 11.1, 11.2, and 12.1 releases.
According to Palo Alto Networks, vulnerable systems include:
Prisma Access deployments running affected software builds are also exposed.
Palo Alto Networks stated that exploitation requires a specific deployment configuration.
The flaw affects environments where:
The vendor published guidance for administrators to verify whether authentication override cookies are configured within affected deployments.
No evidence has been released indicating mass exploitation or automated worm-like activity. However, CISA's inclusion of the flaw in KEV indicates confirmed exploitation against real-world targets.
The vendor has not publicly released detailed exploit code or a complete root-cause analysis.
The advisory describes the issue as an authentication bypass vulnerability that enables attackers to circumvent security controls and establish unauthorized VPN sessions. Publicly available technical documentation currently focuses on affected configurations and remediation guidance rather than exploit mechanics.
Security researchers have increasingly focused on GlobalProtect attack surfaces throughout 2026 following multiple PAN-OS vulnerabilities affecting authentication services, portals, and edge-facing infrastructure.
A successful bypass of GlobalProtect authentication can provide direct access into protected enterprise networks through legitimate VPN infrastructure.
Because GlobalProtect commonly serves as a trusted remote-access entry point, unauthorized VPN sessions can significantly reduce defensive visibility and provide adversaries with a foothold inside corporate environments.
The exact downstream impact depends on network segmentation, identity controls, privilege assignments, and post-authentication access policies.
Palo Alto Networks released fixed software versions addressing CVE-2026-0257 and urged customers to upgrade immediately.
The company stated that patched releases are available across all affected PAN-OS branches. Administrators are advised to identify exposed GlobalProtect deployments, review authentication override configurations, and apply vendor updates without delay.
Organizations operating internet-facing VPN infrastructure should also review access logs, authentication events, and unusual VPN session activity for indicators of compromise.
The disclosure follows a series of PAN-OS security issues disclosed throughout 2026, including CVE-2026-0227, a GlobalProtect denial-of-service flaw, and CVE-2026-0300, an actively exploited authentication portal remote code execution vulnerability.
Threat intelligence teams have repeatedly observed nation-state and financially motivated actors targeting firewalls, VPN gateways, edge appliances, and identity infrastructure because these systems often provide privileged access into enterprise environments while maintaining lower endpoint visibility.
The addition of CVE-2026-0257 to CISA's KEV catalog reinforces an ongoing trend in which attackers prioritize externally exposed authentication services and VPN infrastructure as initial access vectors. Organizations running GlobalProtect should treat the vulnerability as an urgent remediation priority and verify patch status across all exposed PAN-OS deployments.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.