PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

A newly disclosed security vulnerability affecting enterprise firewall systems has been actively exploited in the wild, prompting urgent warnings from cybersecurity agencies and vendors.

The flaw, tracked as PAN-OS CVE-2026-0257, impacts GlobalProtect VPN services used by organizations worldwide, allowing attackers to bypass authentication and establish unauthorized network access.

Authentication Bypass Enables VPN Takeover

According to security researchers, the vulnerability exists in the GlobalProtect portal and gateway components of Palo Alto Networks’ PAN-OS software.

Attackers can exploit the issue when specific configurations are enabled, particularly authentication override cookies combined with certain certificate settings. Once exploited, the flaw allows unauthorized users to initiate VPN sessions without valid credentials.

The vulnerability carries a CVSS severity score of 7.8, categorizing it as a high-risk security issue.

Active Exploitation Detected in the Wild

In a recent update, Palo Alto Networks confirmed it has observed limited but real-world exploitation attempts targeting unpatched systems.

Cybersecurity firm Rapid7 reported that attacks were detected in multiple customer environments, with activity dating back to mid-May 2026. Researchers identified at least two waves of exploitation, suggesting coordinated attempts by the same threat actor.

In some cases, attackers were able to successfully obtain VPN access and internal network connectivity, potentially exposing sensitive enterprise systems.

Government Agencies Issue Emergency Alerts

The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply mitigation measures immediately.

Organizations affected are being urged to patch systems without delay or apply temporary safeguards to reduce exposure.

Mitigation and Security Recommendations

Security experts recommend immediate action for organizations using affected systems, including:

• Disabling authentication override features where possible
• Regenerating certificates tied to authentication processes
• Applying vendor-provided security patches
• Monitoring VPN logs for unusual login patterns
• Restricting external access to GlobalProtect portals

Cybersecurity analysts warn that edge VPN appliances remain high-value targets due to their direct access to internal corporate networks.

Broader Context of Rising VPN Exploits

The incident follows a series of recent attacks targeting enterprise security infrastructure, including endpoint management systems and network appliances.

Experts say attackers are increasingly focusing on perimeter technologies such as VPN gateways because successful exploitation often leads to full internal network access.

Outlook

With active exploitation already underway, security officials warn that organizations that delay patching may already be exposed to unauthorized access attempts.

Investigations are ongoing to identify the threat actors behind the campaign and assess the full scope of impacted systems.