// #cve-2026-0257
4 articles
PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.3): Authentication Bypass Exploited Against Government and Critical Infrastructure
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.
GlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave — CISA Adds to KEV
Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.
VPN Authentication Bypass: Identity and Access Containment Response After GlobalProtect Compromise
When a VPN authentication bypass like CVE-2026-0257 is exploited, the attacker enters the network without leaving identity provider audit trails. Standard identity-based detection misses the initial access. This creates a specific response challenge: containing a network breach where the entry event did not generate authentication telemetry and the scope of subsequent access is unknown.