PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Is Being Actively Exploited
Palo Alto Networks has confirmed that CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect, is under active exploitation in the wild. The flaw carries a CVSS score of 7.8 and allows attackers to establish VPN connections without valid credentials. This is not a theoretical disclosure — real attacks are happening right now.
To understand why this matters, you need to understand what GlobalProtect actually does. It is the VPN gateway that tens of thousands of organizations use to provide remote access to their internal networks. When you authenticate to GlobalProtect, you are essentially proving you are allowed through the front door. CVE-2026-0257 lets someone walk through that door without showing ID.
The vulnerability affects both PAN-OS and Prisma Access, which means cloud-deployed and on-premises installations are both in scope. The attack surface is enormous. Palo Alto Networks is one of the most widely deployed enterprise firewall and VPN vendors in the world. A critical authentication bypass in their flagship remote access product is about as bad as it gets for enterprise security teams.
Authentication bypass vulnerabilities in VPN gateways follow a depressingly familiar pattern. The playbook is always the same: a flaw exists that lets an attacker skip the authentication step, they establish a VPN session as if they were a legitimate user, and from inside the tunnel they have access to whatever the VPN was designed to protect. The attacker does not need to crack passwords or steal tokens. They simply walk through the gap.
What makes this particularly dangerous is the timeline. The vulnerability was "recently disclosed" but is already under active exploitation. That gap between disclosure and exploitation has been shrinking for years. In 2021, the average was measured in weeks. Today, for high-value targets like VPN infrastructure, it can be days. Sometimes the exploitation precedes the disclosure entirely, which means the "active exploitation" warning from Palo Alto may already be describing damage that has already occurred.
The uncomfortable truth is that most organizations using GlobalProtect have no way to determine whether they have already been compromised through this vector. VPN authentication logs will show successful connections. If the bypass works as described, those connections look legitimate from a logging perspective. The forensic signature is minimal. An attacker who gains access through this bypass and then moves laterally using legitimate credentials leaves almost no trace that distinguishes their session from a real user.
Patching is urgent but not sufficient on its own. Every organization running PAN-OS or Prisma Access needs to answer three questions immediately: what version are they running, has the patch been applied, and can they review VPN session logs for anomalous connections that predate the patch? If the answer to the third question is "we do not have adequate logging," then the real problem is not just this CVE — it is a fundamental gap in visibility that this CVE has now made critical.
Track active vulnerabilities, exploitation timelines, and remediation guidance at https://securitycyber.uk.
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)