🌐 Network

PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.3): Authentication Bypass Exploited Against Government and Critical Infrastructure

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.

4 min read
#palo-alto#globalprotect#pan-os#cve-2026-0257#authentication-bypass#cisa-kev#actively-exploited#vpn-security
Article network-security

Palo Alto Networks has disclosed and confirmed active exploitation of CVE-2026-0257, a critical authentication bypass affecting the GlobalProtect gateway component of PAN-OS. The flaw allows an unauthenticated remote attacker to establish VPN sessions without valid credentials, effectively bypassing the primary access control protecting corporate network entry points. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalogue on 15 June 2026 with a federal remediation deadline of 29 June.

Palo Alto’s Unit 42 threat intelligence team has attributed active exploitation to multiple threat actors, with the earliest confirmed activity observed on 12 June 2026. Initial victims identified include government agencies, defence contractors, and critical infrastructure operators β€” a targeting profile consistent with sophisticated nation-state reconnaissance and initial access objectives.

Vulnerability Details

CVE-2026-0257 resides in the authentication flow of the GlobalProtect gateway, specifically in the handling of pre-login SSL/TLS session establishment requests. An unauthenticated attacker can send a crafted request sequence that triggers an improper session state transition, resulting in a fully authenticated VPN session being established for an attacker-controlled endpoint without valid username or password credentials.

The flaw requires no user interaction and is exploitable from the internet against any GlobalProtect gateway with its external-facing port accessible. Palo Alto has confirmed the vulnerability is exploitable against both gateway and portal configurations.

Affected PAN-OS versions:

VersionAffectedFixed Version
PAN-OS 11.2< 11.2.711.2.7
PAN-OS 11.1< 11.1.911.1.9
PAN-OS 10.2< 10.2.1410.2.14
PAN-OS 10.1< 10.1.1710.1.17
Prisma Access (cloud-managed)Managed update deployed by Palo Alto β€” no customer action

PAN-OS versions prior to 10.1 are end-of-life and receive no patch β€” customers on EOL versions must upgrade to a supported branch.

Why GlobalProtect Authentication Bypass Is Particularly Severe

GlobalProtect is frequently the outermost authentication layer of an enterprise network β€” the first control that determines who reaches internal systems. An attacker who bypasses GlobalProtect authentication gains the same network access as a fully authenticated remote employee: access to internal servers, applications, and segments that are otherwise isolated from the public internet.

Critically, this bypass produces no failed authentication events in identity provider logs. Organisations that depend on detecting brute-force attempts or credential stuffing as an indicator of compromise will see no signal during a CVE-2026-0257 exploitation. The attacker appears as a successfully authenticated session.

Unit 42’s initial analysis suggests exploitation has been used for lateral reconnaissance β€” mapping internal network topology from the VPN IP range β€” rather than immediate destructive action. This pattern is characteristic of nation-state actors establishing persistent footholds for later use, which makes urgent patching particularly important: the window between exploitation and destructive impact may be measured in days to weeks, not hours.

Post-Exploitation Detection

If patching cannot be completed immediately, security teams should:

  • Review GlobalProtect session logs for sessions that do not correspond to known user accounts or devices β€” the bypass establishes a session that appears authenticated but may list an unexpected username or empty user field
  • Check for unexpected internal reconnaissance from VPN IP ranges β€” port scans, SMB enumeration, or Active Directory LDAP queries from VPN addresses not associated with recognised endpoints
  • Correlate GlobalProtect session source IPs against threat intelligence feeds β€” Unit 42 has published IOC data including infrastructure used in observed exploitation campaigns
  • Patch immediately β€” apply PAN-OS 11.2.7, 11.1.9, 10.2.14, or 10.1.17 as appropriate; given CISA KEV status and confirmed active exploitation, no standard patching window applies
  • Restrict GlobalProtect external exposure while patching is coordinated β€” if operationally feasible, limit access to the GlobalProtect portal/gateway to known corporate IP ranges via upstream firewall rules as a temporary compensating control
  • Audit active GlobalProtect sessions dating from 12 June onward β€” terminate any sessions that cannot be attributed to known user accounts or authorised devices
  • Rotate VPN credentials and MFA tokens for all users as a precaution β€” even if exploitation is not confirmed, treating June 12+ sessions as potentially compromised is prudent given the bypass nature of the flaw
  • Enable Palo Alto Threat Prevention signatures for CVE-2026-0257 β€” Palo Alto has released updated signatures that detect exploitation attempts at the network layer; these apply even before the firmware patch is installed
  • Customers on EOL PAN-OS versions must upgrade β€” no backport patch is available for end-of-life branches; Palo Alto product support can expedite upgrade planning

Share this article