A new authentication bypass vulnerability (CVE-2026-0257) in PAN-OS is being actively exploited in the wild. The flaw lets attackers establish VPN connections without valid credentials. This is not a theoretical risk or a proof of concept — real attacks are happening right now, and the window to respond is already closing.
Authentication bypass flaws in PAN-OS follow a well-established timeline. The vulnerability exists in the code for months or years before discovery. It gets a CVE number and a CVSS score. A patch gets released on schedule. Meanwhile, threat actors found it independently and have been exploiting it quietly. By the time the vendor issues an advisory about active exploitation, the attackers have already come and gone through the open door. This pattern played out with CVE-2023-27997 in Fortinet, with CVE-2021-22893 in Pulse Secure, and with CVE-2023-46805 in Ivanti. The names change. The anatomy of failure does not.
The specific details from this reporting matter. According to The Hacker News (Sat, 30 May 2026 12:11:26): Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by
What makes VPN authentication bypasses particularly dangerous is the access model. A VPN gateway is designed to be the controlled entry point to an internal network. When authentication is bypassed, the attacker does not just get a user session — they get a network-positioned foothold that bypasses perimeter controls. Every firewall rule, every segmentation policy, every zero-trust assumption that depends on authenticated VPN access becomes conditional on a check that can be skipped.
The uncomfortable truth is that most organizations cannot answer the most basic questions about their exposure right now. Which versions of PAN-OS are deployed? Were those systems patched within 24 hours of the advisory? Are VPN authentication logs being monitored for anomalous sessions that predate the patch? If the answer to any of these is 'we do not know,' then the real problem is not just this specific vulnerability. It is a fundamental gap in operational visibility that this incident has now made critical.
Immediate steps: verify your PAN-OS version against the vendor's advisory. Apply the patch or workaround immediately. Review authentication logs for any sessions that bypass normal credential validation. If you find indicators of compromise, assume lateral movement has occurred and scope accordingly. Longer term: question any security architecture that places absolute trust in a single authentication boundary.
Track active vulnerabilities, exploitation timelines, and detailed remediation guidance at https://securitycyber.uk. We monitor these threats continuously so you do not have to.
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)