HOMEVULNERABILITIESCVE-2026-0257
MEDIUMCISA KEVIN THE WILD

CVE-2026-0257

CWE-565Published: May 13, 2026· Updated: May 14, 2026

4.7
CVSS v3.1
EPSS:0.05%probability of exploitation in 30 daysPercentile:17.1th

Official Description

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.

Panorama and Cloud NGFW are not impacted by these issues.

NVD Source

Risk Analysis

This medium-severity authentication bypass vulnerability affects Palo Alto Networks PAN-OS GlobalProtect portal and gateway. An attacker can bypass security restrictions to establish an unauthorized VPN connection. While the CVSS score is 4.7, its presence in CISA's KEV signifies that it is actively being exploited, making it a critical concern.

This vulnerability is remotely exploitable with low attack complexity. Active exploitation has been observed in the wild, as indicated by its 'in_the_wild' exploit status and inclusion in CISA's KEV.

Recommended Action

To mitigate this, apply the latest security updates for Palo Alto Networks PAN-OS GlobalProtect portal and gateway. Ensure all security configurations are up-to-date and follow vendor best practices for VPN security.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-0257 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CISA has added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeX
Impact
Confidentiality
Integrity
Availability
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber

Affected Vendors & Products

Mentioned vendors (from description):
Palo Alto Networks
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-0257

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw
The Hacker News· Jun 15, 2026

Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad [xlite_meta score:50 src:The Hacker News xlite_fp:cfabe5fa023b0e0217853fede0b67aaffecb7dfb4c49188229f8dc7254be443a]

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Palo Alto Unit 42· Jun 5, 2026

We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42. [xlite_meta score:64 src:Palo Alto Unit 42 xlite_fp:b1c878903d6b1d60ceb6d50d290b77f7a94ab4ce11f4aa034f0cc3ea088cb7f6]

Recent Palo Alto Networks Vulnerability Exploited for Weeks
SecurityWeek· Jun 1, 2026

Hackers began exploiting CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS, four days after public disclosure. The post Recent Palo Alto Networks Vulnerability Exploited for Weeks appeared first on SecurityWeek. [xlite_meta score:50 src:SecurityWeek xlite_fp:d4e17c79c960963e62b002f30defbe32b8cc99e287965788d014e556c35caeaf]

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
BleepingComputer· May 30, 2026

Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...] [xlite_meta score:58 src:BleepingComputer xlite_fp:5e89058547a1f5009d400dd263d5f8aa84391b4fe957c9d078f7f1a8cd3e9851]

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
The Hacker News· May 30, 2026

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the [xlite_meta score:53 src:The Hacker News xlite_fp:aa8b309434ece0b243b7ff1c8b3f76675d91086abf3620c90b290b92cb55f106]

CISA Adds One Known Exploited Vulnerability to Catalog
CISA Alerts· May 29, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability This type of vulnerability is a frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks ag [xlite_meta score:48 src:CISA Alerts xlite_fp:a4c3c3da3ebe978ae3580d6583d3903e158ff17b758a6e0c4dd6851429ee62c8]

All References (1)

Quick Facts

CVE IDCVE-2026-0257
CVSS Score4.7 / 10
SeverityMEDIUM
WeaknessCWE-565
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)0.05%
PublishedMay 13, 2026

Known Threat Actors

Global
financial
global
financial

Related CVEs (CWE-565)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-0257 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.