PAN-OS GlobalProtect auth bypass (CVE-2026-0257) [PoC]

Actively exploited in the wild - CVE-2026-0257 is a critical authentication bypass in Palo Alto Networks PAN-OS GlobalProtect portal and gateway that lets unauthenticated attackers establish unauthorized VPN connections. CISA has confirmed active exploitation; apply vendor patches immediately.

Overview

CVE-2026-0257 is a critical vulnerability in Palo Alto Networks PAN-OS software affecting the GlobalProtect portal and gateway components. The flaw allows an unauthenticated attacker to bypass security restrictions and establish a VPN connection without proper credentials. This means an attacker on the network can gain unauthorized access to the protected internal network as if they were a legitimate VPN user.

The vulnerability carries a CVSS score of 9.1 (Critical) with a network attack vector, low attack complexity, and no privileges or user interaction required. Panorama and Cloud NGFW are not impacted.

Impact

Successful exploitation of CVE-2026-0257 enables an attacker to:

• Bypass GlobalProtect authentication mechanisms
• Establish unauthorized VPN tunnels into the protected network
• Gain access to internal resources that would normally be restricted to authenticated VPN users
• Launch further attacks against internal systems from an authenticated VPN session

The low EPSS score (0.1%) suggests exploitation remains targeted rather than widespread automated scanning. However, CISA’s inclusion on the Known Exploited Vulnerabilities catalog indicates active, confirmed in-the-wild attacks.

Affected Products and Remediation

Palo Alto Networks has released security updates for this vulnerability. Specific patched versions vary by PAN-OS release train. Organizations should:

1. Update PAN-OS to the latest patched version immediately for affected GlobalProtect deployments
2. Review vendor advisory for exact version numbers
3. Monitor GlobalProtect logs for unauthorized VPN connections
4. Implement network segmentation to limit lateral movement for any potentially compromised sessions

Apply patches to all PAN-OS instances running GlobalProtect portal or gateway services. If immediate patching is not possible, consider restricting GlobalProtect access to authorized IP ranges as a temporary mitigation.

Security Insight

This authentication bypass is the second PAN-OS vulnerability confirmed exploited in the wild in rapid succession, following CVE-2026-0300 (an RCE in the same GlobalProtect component). The pattern suggests threat actors have invested in reverse-engineering Palo Alto’s VPN stack and are chaining similar-class bugs. Organizations should treat all PAN-OS GlobalProtect interfaces as high-value targets and prioritize patching cycles accordingly, even when individual CVSS scores appear moderate.

For ongoing coverage of this and related threats, see the Weekly Threat Roundup: Critical PAN-OS Flaw Exploited (May 4-10) and PAN-OS RCE CVE-2026-0300 exploited in the wild.

Further Reading

• Weekly Threat Roundup: Critical PAN-OS Flaw Exploited (May 4-10)
• PAN-OS RCE CVE-2026-0300 exploited in the wild
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs