Executive Summary
In May 2026, a critical authentication bypass vulnerability (CVE-2026-0257) was discovered in Palo Alto Networks' PAN-OS software, specifically affecting the GlobalProtect portal and gateway components. This flaw allowed remote, unauthenticated attackers to establish unauthorized VPN connections, potentially exposing internal networks to malicious access. Rapid7's Managed Detection and Response team observed active exploitation of this vulnerability starting on May 17, 2026, leading to its inclusion in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog. Palo Alto Networks released security patches beginning May 15, 2026, urging immediate updates to mitigate the risk. (security.paloaltonetworks.com)
The exploitation of CVE-2026-0257 underscores the critical importance of timely vulnerability management and patch application. Organizations relying on PAN-OS for secure remote access must ensure their systems are updated to prevent unauthorized access and potential data breaches. This incident highlights the ongoing challenges in securing network infrastructure against rapidly evolving threats.
Why This Matters Now
The active exploitation of CVE-2026-0257 demonstrates the urgency for organizations to promptly apply security patches to prevent unauthorized access and potential data breaches. Delayed responses to such vulnerabilities can lead to significant security incidents, emphasizing the need for proactive vulnerability management.
Attack Path Analysis
The attacker exploited CVE-2026-0257 to bypass authentication on the GlobalProtect portal, establishing an unauthorized VPN connection. Upon access, they escalated privileges by exploiting misconfigurations in IAM roles. They then moved laterally across the network, accessing sensitive systems. The attacker established command and control channels to maintain persistent access. They exfiltrated sensitive data to external servers. Finally, they deployed ransomware, encrypting critical files and disrupting operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited CVE-2026-0257 to bypass authentication on the GlobalProtect portal, establishing an unauthorized VPN connection.
Related CVEs
CVE-2026-0257
CVSS 9.1An authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allows attackers to establish unauthorized VPN connections.
Affected Products:
Palo Alto Networks PAN-OS – < 12.1.4-h6, < 12.1.7, < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12, < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15, < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Palo Alto Networks Prisma Access – < 11.2.7-h13, < 10.2.10-h36
Exploit Status:
exploited in the wildReferences:
https://security.paloaltonetworks.com/CVE-2026-0257https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/https://threatprotect.qualys.com/2026/06/01/cisa-warns-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Use Alternate Authentication Material: Pass the Hash
Application Layer Protocol: Web Protocols
Remote Services: Remote Desktop Protocol
Valid Accounts: Cloud Accounts
Exploit Public-Facing Application
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector attacks targeting cryptocurrency exchanges and investment fraud networks create severe financial losses, regulatory sanctions, and compromise customer data requiring enhanced encryption controls.
Government Administration
Authentication bypass vulnerabilities in VPN infrastructure and targeted data breaches of cybersecurity institutes expose sensitive employee information and compromise critical government operations.
Information Technology/IT
Palo Alto VPN authentication bypass exploitation and expanded phishing campaigns targeting corporate networks require immediate zero trust segmentation and multicloud visibility implementations.
Telecommunications
East-west traffic security vulnerabilities and encrypted traffic inspection gaps enable lateral movement and data exfiltration across telecommunications infrastructure and customer communications.
Sources
- The Good, the Bad and the Ugly in Cybersecurity – Week 23https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-23-7/Verified
- PAN-OS: GlobalProtect Authentication Bypass Vulnerabilitieshttps://security.paloaltonetworks.com/CVE-2026-0257Verified
- Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/Verified
- CISA Warns of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)https://threatprotect.qualys.com/2026/06/01/cisa-warns-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized VPN connection would likely have been constrained, reducing their ability to access internal resources.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely have been constrained, limiting their access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained, reducing their ability to access sensitive systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels would likely have been constrained, reducing their ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely have been constrained, reducing the volume of data exfiltrated.
The attacker's deployment of ransomware would likely have been constrained, reducing the extent of operational disruption.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access
- VPN Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential unauthorized access to internal network resources and sensitive data.
Recommended Actions
Key Takeaways & Next Steps
- • Apply patches for CVE-2026-0257 to prevent unauthorized VPN access.
- • Implement Zero Trust Segmentation to limit lateral movement.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Utilize Threat Detection & Anomaly Response to identify and respond to suspicious activities.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
