Urgent: PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257) Exploited in the Wild
Executive Summary
In May 2026, Palo Alto Networks disclosed an authentication bypass vulnerability (CVE-2026-0257) in its PAN-OS software, affecting GlobalProtect portals and gateways. This flaw allows unauthenticated attackers to establish unauthorized VPN connections, potentially exposing internal networks. The vulnerability impacts specific PAN-OS versions and configurations where authentication override cookies are enabled. Exploitation was observed as early as May 17, 2026, with attackers gaining VPN access to internal networks. While no lateral movement was detected, the unauthorized access poses significant security risks. Organizations are urged to apply patches or mitigations promptly to prevent potential breaches.
Why This Matters Now
The active exploitation of CVE-2026-0257 underscores the urgency for organizations to secure their VPN infrastructures. Unpatched systems are vulnerable to unauthorized access, potentially leading to data breaches and operational disruptions. Immediate action is required to mitigate this threat.
Attack Path Analysis
An attacker exploited an authentication bypass vulnerability in PAN-OS GlobalProtect to establish an unauthorized VPN connection, gaining initial access. They then escalated privileges by leveraging the VPN access to obtain higher-level credentials. Using these credentials, the attacker moved laterally within the network to access sensitive systems. They established command and control channels to maintain persistent access. The attacker exfiltrated sensitive data through the established channels. Finally, they disrupted operations by deploying malware to critical systems.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited an authentication bypass vulnerability in PAN-OS GlobalProtect to establish an unauthorized VPN connection.
Related CVEs
CVE-2026-0257
CVSS 9.1Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allow attackers to establish unauthorized VPN connections.
Affected Products:
Palo Alto Networks PAN-OS – < 12.1.4-h6, < 12.1.7, < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12, < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15, < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Palo Alto Networks Prisma Access – < 11.2.7-h13, < 10.2.10-h36
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Modify Authentication Process
External Remote Services
Valid Accounts
Application Layer Protocol
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) enables unauthorized VPN access, compromising encrypted traffic and zero trust segmentation critical for financial compliance.
Health Care / Life Sciences
Authentication bypass vulnerability threatens HIPAA compliance through compromised VPN connections, enabling lateral movement and potential exfiltration of protected health information.
Government Administration
Active exploitation of GlobalProtect authentication bypass creates critical national security risks through unauthorized access to government networks and sensitive communications.
Information Technology/IT
IT sectors face direct exposure as PAN-OS vulnerability enables threat actors to bypass authentication controls and establish malicious VPN connections.
Sources
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitationhttps://thehackernews.com/2026/05/pan-os-globalprotect-authentication.htmlVerified
- PAN-OS: GlobalProtect Authentication Bypass Vulnerabilitieshttps://security.paloaltonetworks.com/CVE-2026-0257Verified
- CVE-2026-0257 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-0257Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware routing, thereby reducing the blast radius of the compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized VPN connection could likely be constrained by enforcing strict identity-based access controls, limiting their ability to establish such connections.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could likely be limited by enforcing strict segmentation, reducing their access to sensitive credentials.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could likely be constrained by enforcing east-west traffic controls, limiting their ability to access sensitive systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could likely be detected and disrupted by providing comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could likely be limited by enforcing strict egress policies, reducing their ability to transmit sensitive data out of the network.
The attacker's deployment of malware could likely be constrained by limiting their access to critical systems, reducing the potential impact on operations.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security Operations
- User Authentication Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to internal network resources and sensitive data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Cloud Firewall (ACF) to control and monitor outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.
