CVE-2026-0257: GlobalProtect Auth Bypass Now Under Active Exploitation
Palo Alto Networks has confirmed that CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect, is now being actively exploited by threat actors attempting to gain unauthorized access to corporate networks. The vendor issued an urgent warning urging all customers to apply available patches without delay.
The vulnerability carries a CVSS v3.1 score of 7.8 (High) and affects both PAN-OS and Prisma Access. Despite being classified as medium-severity at initial disclosure, the confirmed in-the-wild exploitation raises the effective urgency to critical.
What Is CVE-2026-0257?
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect gateway and portal components of Palo Alto Networks PAN-OS. The flaw allows a network-adjacent or remote attacker to bypass authentication controls under certain conditions, potentially gaining access to resources that should require valid credentials.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-0257 |
| CVSS Score | 7.8 (High) |
| Affected Products | PAN-OS (GlobalProtect), Prisma Access |
| Attack Vector | Network |
| Authentication Required | None (bypass) |
| Active Exploitation | Confirmed |
| Patch Available | Yes — apply immediately |
GlobalProtect is Palo Alto Networks' VPN solution, widely deployed by enterprises to provide remote access to corporate resources. An authentication bypass in this component directly threatens the perimeter security of organizations relying on it as a primary remote access control point.
Exploitation Activity
According to Palo Alto Networks' threat intelligence team and corroborating reports from BleepingComputer and The Hacker News, attackers are actively probing and exploiting vulnerable GlobalProtect instances in the wild. The exploitation attempts appear focused on breaching corporate network perimeters — using the auth bypass to gain initial access that would otherwise require valid VPN credentials.
The attack pattern is consistent with:
- Initial access brokers — threat actors who specialize in selling authenticated footholds to ransomware groups and nation-state APTs
- Ransomware operators — groups seeking to establish a beachhead inside enterprise networks before deploying encryption payloads
- State-sponsored espionage — actors targeting specific organizations for data exfiltration using a less-detectable entry method than credential theft
Why GlobalProtect Is a High-Value Target
VPN and remote access infrastructure has been among the most targeted attack surfaces in cybersecurity for the past several years. The reasons are structural:
- Perimeter position — VPN gateways sit at the edge of the network, making them reachable from the public internet without additional pre-access
- Privileged access — successful authentication grants access to internal network segments that are otherwise invisible to external attackers
- Delayed patching cycles — network appliances and VPN concentrators often run on longer patch cycles than workstation software, leaving known vulnerabilities exposed longer
- High deployment density — Palo Alto Networks GlobalProtect is one of the most widely deployed enterprise VPN solutions globally, meaning a single exploitable flaw creates a massive target pool
Previous Palo Alto Networks vulnerabilities — including CVE-2024-3400 (PAN-OS command injection) — saw rapid exploitation and widespread compromise campaigns within days of disclosure. CVE-2026-0257 appears to be following the same trajectory.
Affected Versions and Patch Guidance
Palo Alto Networks has released patches addressing CVE-2026-0257. Organizations should:
- Immediately identify all PAN-OS and Prisma Access deployments in the environment
- Consult the Palo Alto Networks Security Advisory for the specific affected PAN-OS versions and corresponding fixed releases
- Apply patches as an emergency change — do not wait for scheduled maintenance windows given confirmed active exploitation
- Review GlobalProtect logs for anomalous authentication attempts, especially:
- Authentication events with no corresponding legitimate user activity
- Logins from unusual geographic locations or IP ranges
- Bursts of authentication attempts followed by sudden successful connections
Temporary Mitigations (if patching is delayed)
If an emergency patch cannot be applied immediately:
- Restrict GlobalProtect portal and gateway access to known IP ranges at the network perimeter (firewall ACLs, upstream filtering)
- Enable multi-factor authentication on all GlobalProtect user accounts — a bypass of password authentication may still be blocked by MFA depending on implementation
- Increase logging verbosity on GlobalProtect and forward logs to SIEM for real-time alerting on anomalous patterns
- Enable Threat Prevention profiles on the zones adjacent to the GlobalProtect gateway
Detection Guidance
Organizations should search for indicators of exploitation in PAN-OS system and traffic logs:
# Check GlobalProtect authentication logs for anomalies (via PAN-OS CLI)
show log system direction equal forward | match globalprotect
# Look for authentication bypass indicators
show log system | match "CVE-2026-0257\|auth bypass\|authentication failed.*globalprotect"
# Review active GlobalProtect sessions for unexpected sources
show global-protect-gateway current-userIn SIEM environments, alert on:
- GlobalProtect sessions established without a corresponding RADIUS/LDAP authentication event
- Sessions from IP addresses not in the corporate VPN user population
- Rapid sequential session establishment from the same IP (scanning activity)
Broader Context: VPN Exploitation in 2026
The exploitation of CVE-2026-0257 continues a pattern of sustained attacker focus on VPN and remote access appliances. In 2026 alone, confirmed active exploitation of VPN-class vulnerabilities has included Cisco SD-WAN, Fortinet FortiClient EMS, and Ivanti EPMM — reflecting an industry-wide challenge in securing network perimeter appliances at the pace that threats require.
The Cybersecurity and Infrastructure Security Agency (CISA) has consistently flagged VPN vulnerabilities for priority remediation under its Known Exploited Vulnerabilities (KEV) catalog. Organizations with affected Palo Alto Networks infrastructure should anticipate KEV addition and treat this as a federal-grade remediation priority regardless of sector.
Summary
CVE-2026-0257 is an actively exploited authentication bypass in Palo Alto Networks GlobalProtect that gives threat actors a direct path into enterprise networks without valid credentials. Patches are available and must be applied immediately. Organizations that cannot patch immediately should implement compensating controls and increase monitoring on GlobalProtect infrastructure. Given the track record of rapid exploitation following Palo Alto Networks VPN disclosures, every hour without a patch represents elevated and growing risk.