← CIO Briefings · Critical Impact ACTION REQUIRED

CRITICAL: PAN-OS VPN Flaw CVE-2026-0257 Actively Exploited — Attackers Gaining Silent Network Access

A critical vulnerability in Palo Alto Networks GlobalProtect VPN — the primary remote access gateway for thousands of enterprises — allows attackers to bypass login controls entirely and gain access to internal corporate networks without credentials. Exploitation is confirmed and ongoing, with government agencies and critical infrastructure operators among identified victims. Immediate patching is required.

4 min read
#NIS2#DORA
Brief

What Happened

A critical security flaw has been discovered in GlobalProtect — the virtual private network (VPN) product used by Palo Alto Networks customers to provide remote access to corporate networks. The vulnerability (CVE-2026-0257) allows attackers to connect to an organisation’s internal network as though they were an authorised employee, without supplying any username or password. Palo Alto Networks and the US Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that attackers are actively exploiting this flaw, with victims identified in government, defence, and critical infrastructure sectors since at least 12 June 2026.

Unlike many security vulnerabilities that require an attacker to first steal credentials, this flaw bypasses the credential check entirely. An attacker with internet connectivity can exploit it in seconds, with no prior knowledge of any employee’s account details.

Business Impact

GlobalProtect VPN is the outermost gate to the corporate network for organisations that use Palo Alto Networks firewalls. Exploitation gives an attacker the same level of internal network access as a fully authenticated remote employee — access to internal servers, shared drives, databases, and application systems that are otherwise unreachable from the internet.

The most significant risk is silent, undetected access: because the attacker bypasses the login process entirely, there are no failed login attempts or unusual credential activity to alert security teams. Organisations may have already been compromised without any visible indicator in their identity management or authentication logs.

The initial exploitation pattern observed by Palo Alto’s threat intelligence team involves internal reconnaissance — mapping the corporate network layout — rather than immediate data theft or ransomware deployment. This is characteristic of sophisticated attackers building a foothold for later use, and means the window between initial exploitation and meaningful business harm may be days to weeks rather than hours.

Regulatory Implications

Organisations operating under NIS2 (EU Network and Information Security Directive) that identify exploitation of this vulnerability must report to their national competent authority within 24 hours of becoming aware of a significant incident, with a full report within 72 hours.

Financial services firms subject to DORA (Digital Operational Resilience Act) must assess whether the VPN compromise constitutes an ICT-related incident under their incident classification thresholds and notify their competent authority accordingly.

In the UK, organisations regulated by the FCA or PRA should assess whether potential network access constitutes a material cyber incident requiring notification under FCA supervisory expectations for operational resilience.

Board-Ready Summary

  • An attacker can gain access to your internal corporate network through the company’s VPN without knowing any employee’s password — the security check is broken.
  • If your organisation uses Palo Alto Networks GlobalProtect VPN and has not yet applied the patch, assume you may have been compromised since 12 June 2026.
  • The board action required is to authorise emergency, out-of-cycle patching of the GlobalProtect infrastructure and a review of all network access activity since 12 June.

  1. Immediate (0–24 hours): Confirm whether your organisation uses Palo Alto Networks GlobalProtect VPN and instruct your security team to identify which PAN-OS version is running; cross-reference with the patched versions (11.2.7, 11.1.9, 10.2.14, or 10.1.17) to determine exposure.

  2. Immediate (0–24 hours): Authorise emergency patching outside the normal maintenance window — this vulnerability is being actively exploited and no standard change management timeline is appropriate; escalate to your Palo Alto Networks account team for priority support if needed.

  3. Short-term (24–72 hours): Instruct your security operations team to review all VPN access logs from 12 June onward for sessions that cannot be attributed to known employees or authorised devices; any unrecognised sessions during this period should be treated as potential exploitation.

  4. Short-term (this week): If any suspicious access is identified, engage your incident response capability — either internal or a retained external provider — to assess the extent of internal network reconnaissance and whether sensitive data was accessed.

  5. Ongoing: Review NIS2/DORA/FCA incident notification thresholds against confirmed or suspected exploitation; engage legal counsel to assess notification obligations if compromise is identified.