CVE-2026-0257
CWE-565Published: May 13, 2026· Updated: May 14, 2026
Official Description
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Panorama and Cloud NGFW are not impacted by these issues.
Risk Analysis
This medium-severity authentication bypass vulnerability affects Palo Alto Networks PAN-OS GlobalProtect portal and gateway. An attacker can bypass security restrictions to establish an unauthorized VPN connection. While the CVSS score is 4.7, its presence in CISA's KEV signifies that it is actively being exploited, making it a critical concern.
This vulnerability is remotely exploitable with low attack complexity. Active exploitation has been observed in the wild, as indicated by its 'in_the_wild' exploit status and inclusion in CISA's KEV.
To mitigate this, apply the latest security updates for Palo Alto Networks PAN-OS GlobalProtect portal and gateway. Ensure all security configurations are up-to-date and follow vendor best practices for VPN security.
Technical Analysis
CVE-2026-0257 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CISA has added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2026-0257
Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad [xlite_meta score:50 src:The Hacker News xlite_fp:cfabe5fa023b0e0217853fede0b67aaffecb7dfb4c49188229f8dc7254be443a]
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42. [xlite_meta score:64 src:Palo Alto Unit 42 xlite_fp:b1c878903d6b1d60ceb6d50d290b77f7a94ab4ce11f4aa034f0cc3ea088cb7f6]
Hackers began exploiting CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS, four days after public disclosure. The post Recent Palo Alto Networks Vulnerability Exploited for Weeks appeared first on SecurityWeek. [xlite_meta score:50 src:SecurityWeek xlite_fp:d4e17c79c960963e62b002f30defbe32b8cc99e287965788d014e556c35caeaf]
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...] [xlite_meta score:58 src:BleepingComputer xlite_fp:5e89058547a1f5009d400dd263d5f8aa84391b4fe957c9d078f7f1a8cd3e9851]
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the [xlite_meta score:53 src:The Hacker News xlite_fp:aa8b309434ece0b243b7ff1c8b3f76675d91086abf3620c90b290b92cb55f106]
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability This type of vulnerability is a frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks ag [xlite_meta score:48 src:CISA Alerts xlite_fp:a4c3c3da3ebe978ae3580d6583d3903e158ff17b758a6e0c4dd6851429ee62c8]
All References (1)
Quick Facts
Known Threat Actors
Related CVEs (CWE-565)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-0257 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1