PAN-OS GlobalProtect exploit CVE-2026-0257 exploited

What Happened

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect and Prisma Access. Originally rated as medium severity, the flaw allows an unauthenticated attacker with network access to the GlobalProtect interface to bypass authentication entirely. CISA is expected to add this CVE to the Known Exploited Vulnerabilities (KEV) catalog imminently.

Proof-of-concept (PoC) code has been publicly released, accelerating the threat. Palo Alto has issued hotfixes for affected PAN-OS versions, but many organizations remain unpatched, leaving firewalls and cloud-delivered security services exposed.

Why It Matters

This is not a typical medium-severity issue. An authentication bypass on a perimeter appliance like a firewall is a direct gateway to lateral movement. The GlobalProtect portal is often internet-facing, making it a prime target for initial access. If exploited in combination with other vulnerabilities - such as the previously disclosed PAN-OS unauthenticated RCE CVE-2026-0300 - an attacker could chain initial bypass to full remote code execution without any credentials. This bypass effectively removes the first layer of defense for many enterprise networks.

Technical Details

CVE-2026-0257 (CVSS 5.9) is an authentication bypass in the GlobalProtect portal and gateway interfaces of PAN-OS. The vulnerability stems from improper handling of SAML responses during single sign-on (SSO) flows. An unauthenticated attacker can craft a malicious SAML assertion that tricks the GlobalProtect service into accepting a forged authentication token, granting unauthorized access to the management interface or internal resources without valid credentials.

Affected versions include PAN-OS 10.x, 11.0, and 11.1 prior to specific hotfix releases. Prisma Access customers are also impacted if using GlobalProtect portals. Indicators of compromise include unusual SAML authentication logs, especially with unexpected NameID values or timestamps outside normal business hours. The PoC exploits the SAML response validation gap using a forged NotOnOrAfter condition to bypass signature checks.

Immediate Risk

The risk is critical for any organization running an internet-facing GlobalProtect gateway. Attackers are actively scanning for vulnerable instances. Successful exploitation grants a foothold on the firewall itself - a high-value target that can see all network traffic. Once inside, attackers can install persistent backdoors, modify firewall rules, or pivot to internal systems. Given the public availability of PoC code and active exploitation reports, patching should be treated as an emergency. Organizations that cannot patch immediately should restrict GlobalProtect access to trusted IP ranges or disable SAML-based authentication temporarily.

Security Insight

The most dangerous vulnerabilities are not always high severity on the CVSS scale. CVE-2026-0257 was rated 5.9, but its placement on a perimeter device with active PoC code makes it effectively critical in practice. This echoes the 2021 Microsoft Exchange ProxyShell chain, where medium-severity bugs in sequence became devastating. Security teams should reassess medium-rated CVEs when they affect internet-facing appliances and consider enforcing a lower severity threshold for emergency patching on such assets. A medium CVE on a firewall demands faster action than a critical CVE on an internal web server.

Further Reading

• PAN-OS GlobalProtect auth bypass (CVE-2026-0257) [PoC]
• PAN-OS unauth RCE exploited in the wild (CVE-2026-0300) [PoC]
• Latest Security News
• CVE Advisories
• Data Breach Reports