Executive Summary
In May 2026, Palo Alto Networks disclosed CVE-2026-0257, a high-severity authentication bypass vulnerability in the GlobalProtect portal and gateway components of PAN-OS software. This flaw allows unauthenticated remote attackers to forge valid session cookies, enabling unauthorized VPN connections into corporate networks. Active exploitation of this vulnerability was observed starting May 17, 2026, with attackers attempting to access GlobalProtect portals. While no post-access behavior or lateral movement has been identified, the potential for unauthorized access to sensitive internal resources poses a significant risk.
The inclusion of CVE-2026-0257 in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog underscores the urgency for organizations to address this issue. The active exploitation highlights a broader trend of attackers targeting VPN infrastructures to gain unauthorized access, emphasizing the need for robust authentication mechanisms and timely patch management to mitigate such threats.
Why This Matters Now
The active exploitation of CVE-2026-0257 underscores the critical need for organizations to promptly patch vulnerable PAN-OS systems. Delayed remediation increases the risk of unauthorized access to sensitive internal resources, potentially leading to data breaches and operational disruptions. This incident highlights the broader trend of attackers targeting VPN infrastructures, emphasizing the importance of robust authentication mechanisms and vigilant network monitoring.
Attack Path Analysis
An attacker exploited CVE-2026-0257 to bypass authentication on the GlobalProtect portal, establishing unauthorized VPN access. With this access, the attacker could escalate privileges by exploiting misconfigurations or vulnerabilities within the internal network. The attacker then moved laterally across the network, accessing sensitive systems and data. They established command and control channels to maintain persistent access and exfiltrated sensitive data. Finally, the attacker could have disrupted operations by deploying malware or encrypting critical data.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited CVE-2026-0257 to bypass authentication on the GlobalProtect portal, establishing unauthorized VPN access.
Related CVEs
CVE-2026-0257
CVSS 9.1An authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allows attackers to establish unauthorized VPN connections.
Affected Products:
Palo Alto Networks PAN-OS – < 12.1.4-h6, < 12.1.7, < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12, < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15, < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Palo Alto Networks Prisma Access – < 11.2.7-h13*, < 10.2.10-h36*
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Use Alternate Authentication Material: Application Access Token
External Remote Services
Application Layer Protocol: Web Protocols
Remote Services: Remote Desktop Protocol
Valid Accounts: Cloud Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Authentication bypass in PAN-OS GlobalProtect VPN creates critical exposure for financial institutions' encrypted traffic, potentially compromising customer data and regulatory compliance requirements.
Health Care / Life Sciences
CVE-2026-0257 exploitation threatens HIPAA compliance through unauthorized VPN portal access, risking patient data exfiltration and compromising zero trust network segmentation controls.
Government Administration
Active GlobalProtect vulnerability exploitation poses national security risks, enabling lateral movement through government networks and bypassing critical infrastructure protection measures.
Information Technology/IT
IT service providers face cascading client impact from PAN-OS authentication bypass, threatening managed security services and cloud infrastructure protection capabilities.
Sources
- Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flawhttps://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.htmlVerified
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitationhttps://thehackernews.com/2026/05/pan-os-globalprotect-authentication.htmlVerified
- CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilitieshttps://security.paloaltonetworks.com/CVE-2026-0257Verified
- NVD - CVE-2026-0257https://nvd.nist.gov/vuln/detail/CVE-2026-0257Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized VPN access would likely be constrained, reducing their ability to exploit internal misconfigurations or vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be limited, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely be restricted, limiting access to sensitive systems and data.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing persistent access within the network.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts would likely be limited, reducing the risk of sensitive data loss.
The attacker's ability to disrupt operations would likely be constrained, reducing the potential impact on critical systems.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security Operations
- IT Infrastructure Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to internal network resources and sensitive data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities like CVE-2026-0257.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.



