CVE-2026-0257: PAN-OS GlobalProtect Auth Bypass Now Actively Exploited
Palo Alto Networks has issued an urgent security advisory confirming that CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect and Prisma Access, is under active exploitation by threat actors in the wild. The vulnerability carries a CVSS v3.1 score of 7.8 (High) and allows a network-adjacent or remote attacker to bypass authentication controls — gaining unauthorized access to corporate networks without valid credentials.
All organizations running affected versions of PAN-OS or Prisma Access should treat this as an emergency and apply patches immediately.
Vulnerability Details
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-0257 |
| CVSS Score | 7.8 (High) |
| Affected Products | PAN-OS (GlobalProtect), Prisma Access |
| Component | GlobalProtect Gateway and Portal |
| Attack Vector | Network / Remote |
| Authentication Required | None (authentication is bypassed) |
| Active Exploitation | Confirmed |
| Patch Status | Available — apply immediately |
GlobalProtect is Palo Alto Networks' VPN solution, widely deployed in enterprises to provide remote access to internal resources. An authentication bypass in the gateway and portal components means attackers can establish a VPN session — and gain access to internal network segments — without knowing or stealing valid user credentials.
Exploitation Activity
Palo Alto Networks' threat intelligence team has confirmed active exploitation attempts in the wild. Corroborating reports from security researchers indicate attackers are actively scanning for and exploiting vulnerable GlobalProtect instances.
The exploitation patterns observed are consistent with:
- Initial access brokers — threat actors who compromise enterprise footholds and sell access to ransomware groups or nation-state actors
- Ransomware operators — groups seeking to establish a beachhead before deploying encryption payloads
- State-sponsored espionage — actors targeting organizations for data exfiltration using a stealthy entry method
This follows a well-documented pattern with Palo Alto Networks VPN vulnerabilities. CVE-2024-3400, a PAN-OS command injection flaw disclosed in April 2024, saw exploitation begin within hours of public disclosure and was used in widespread campaigns by nation-state actors. CVE-2026-0257 appears to be following a similar trajectory.
Why VPNs Remain Prime Targets
Network perimeter appliances and VPN gateways continue to be among the highest-value targets in modern threat campaigns:
- Internet-facing position — VPN gateways are reachable from the public internet by design, making them accessible to any attacker without pre-existing network access
- Privileged network entry — successful VPN authentication grants access to internal segments that are otherwise completely isolated from external parties
- Slow patch cycles — organizations often run network appliances on longer maintenance windows than workstation software, leaving known vulnerabilities exposed for longer
- Scale of deployment — GlobalProtect is one of the most widely deployed enterprise VPN platforms globally, meaning a single flaw creates an enormous target pool
In 2026 alone, confirmed active exploitation of VPN-class vulnerabilities has included Cisco SD-WAN (CVE-2026-20127), Fortinet FortiClient EMS, and Ivanti EPMM — demonstrating sustained attacker focus on this attack surface.
Affected Versions and Patch Guidance
Palo Alto Networks has released patches for CVE-2026-0257. Organizations should:
- Identify all PAN-OS and Prisma Access deployments in the environment immediately
- Consult the official Palo Alto Networks Security Advisory for the specific affected PAN-OS version ranges and corresponding fixed releases
- Apply patches as an emergency change — do not defer to scheduled maintenance windows given confirmed active exploitation
- Review GlobalProtect logs for anomalous authentication events that may indicate prior or ongoing exploitation
Log Review Guidance
# Review GlobalProtect authentication events via PAN-OS CLI
show log system direction equal forward | match globalprotect
# Look for unexpected successful sessions
show global-protect-gateway current-user
# Search for auth events with no corresponding user activity
show log traffic | match "globalprotect.*allow"In SIEM environments, build alerts for:
- GlobalProtect sessions established without a preceding RADIUS/LDAP authentication event
- Sessions originating from IP addresses outside the expected corporate user population
- Sequential rapid session establishment from the same source IP (scanning behavior)
Temporary Mitigations
For organizations that cannot patch immediately, reduce exposure with these compensating controls:
| Control | Description |
|---|---|
| IP Allowlisting | Restrict GlobalProtect portal/gateway to known corporate IP ranges at the perimeter firewall |
| MFA Enforcement | Enable multi-factor authentication — an auth bypass of passwords may still be blocked by a second factor depending on implementation |
| Increased Logging | Raise verbosity on GlobalProtect components and forward to SIEM for real-time alerting |
| Threat Prevention Profiles | Enable Palo Alto Threat Prevention profiles on zones adjacent to the GlobalProtect gateway |
| Session Monitoring | Actively review active GlobalProtect sessions for unexpected sources |
Note that compensating controls do not fix the underlying vulnerability and should be treated as temporary measures only. Emergency patching remains the required action.
CISA KEV Addition Likely
CISA consistently adds actively exploited VPN vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and issues binding operational directives for federal agencies. Given confirmed exploitation, organizations should expect KEV addition and should apply federal-grade remediation urgency regardless of sector.
Previous Palo Alto Networks vulnerabilities added to CISA KEV include CVE-2024-3400 (PAN-OS command injection) and CVE-2025-0108 (PAN-OS auth bypass) — both of which saw rapid mass exploitation within days of disclosure.
Summary
CVE-2026-0257 is an actively exploited, high-severity authentication bypass in Palo Alto Networks GlobalProtect that grants unauthenticated attackers direct access to enterprise networks. Patches are available. Organizations must apply them immediately — every hour without patching represents growing, compounding risk as exploitation campaigns ramp up. If immediate patching is blocked by change management processes, implement compensating controls now and escalate the change as an emergency.