A critical authentication bypass vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect has been actively exploited since mid-May, with successful attacks reported as early as May 17. The flaw allows attackers to gain unauthorized access to virtual private networks (VPNs) without valid credentials, targeting misconfigured portal and gateway components in the software. CISA added the vulnerability CVE-2026-0257, affecting PAN-OS and Prisma Access, to its Known Exploited Vulnerabilities (KEV) catalog on May 29, underscoring its immediate threat to organizations using affected systems.
Palo Alto Networks disclosed the issue on May 13, initially assigning it a medium severity rating. However, after real-world exploitation was confirmed, the vulnerability’s CVSS score was upgraded from 7.8 (CVSS 4.0) to 9.1 (CVSS 3.1), reflecting its severe impact. The exploit timeline reveals two distinct attack waves beginning in mid-May, with widespread breaches reported across multiple customers by May 17. This escalation highlights the urgency for organizations to apply patches and reconfigure systems to mitigate risks.
The vulnerability stems from misconfigurations in PAN-OS GlobalProtect portal and gateway settings, enabling attackers to bypass authentication mechanisms entirely. Once exploited, malicious actors can access sensitive internal networks, potentially leading to data exfiltration or lateral movement within compromised environments. The technical details emphasize that the flaw is not limited to a specific version of PAN-OS but affects configurations where authentication checks are improperly enforced.
CISA’s inclusion of the vulnerability in its KEV catalog serves as a warning for federal agencies and private sector entities to prioritize remediation efforts. Palo Alto Networks has released updates to address the issue, though organizations are urged to verify their configurations and apply patches immediately. The confirmed exploitation timeline underscores the importance of proactive security measures, as delayed responses could leave systems exposed to ongoing attacks.
As the cybersecurity landscape continues to evolve, this incident reinforces the need for rapid vulnerability disclosure and patch deployment. Organizations using PAN-OS GlobalProtect must audit their network setups and ensure authentication policies are strictly enforced to prevent unauthorized access. The case also highlights CISA’s role in identifying and publicizing actively exploited flaws, enabling broader awareness and mitigation strategies across critical infrastructure sectors.
Sources: