// #globalprotect
8 articles
PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.3): Authentication Bypass Exploited Against Government and Critical Infrastructure
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.
Palo Alto Networks Patches PAN-OS Command Injection CVE-2026-0273 Across All Active Branches
Palo Alto Networks has patched CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface that allows authenticated administrators to execute arbitrary OS commands on the firewall. The vulnerability affects PAN-OS versions 10.1 through 11.2 and all active GlobalProtect gateway configurations. Updates are available across all supported branches.
GlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave — CISA Adds to KEV
Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.
VPN Authentication Bypass: Identity and Access Containment Response After GlobalProtect Compromise
When a VPN authentication bypass like CVE-2026-0257 is exploited, the attacker enters the network without leaving identity provider audit trails. Standard identity-based detection misses the initial access. This creates a specific response challenge: containing a network breach where the entry event did not generate authentication telemetry and the scope of subsequent access is unknown.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
Palo Alto PAN-OS CVE-2026-3197: SAML Auth Bypass Under Mass Exploitation by Nation-State Actors
A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.
PAN-OS GlobalProtect Denial-of-Service CVE-2026-0227 — PoC Published, Firewalls Risk Forced Maintenance Mode
A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.