Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Essential information
- Published
- 05/06/2026 19:40
- Modified
- 08/06/2026 08:53
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- authentication bypass cve-2026-0257 gateway compromise globalprotect pan-os
- Tags
- 2026-06-05 CVE-2026-0257 authentication bypass gateway compromise globalprotect pan-os
- Related entities
- 1 vulnerabilities (cve), 9 indicators, 9 observables, 10 techniques (mitre)
Description
An unidentified threat actor is actively exploiting CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect portal and gateway components. The flaw allows unauthorized attackers to circumvent security controls and initiate VPN connections. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog on May 29, 2026. Exploitation activity has been detected targeting GlobalProtect, with a small portion of probed devices successfully establishing VPN sessions. No post-access behavior or lateral movement has been identified. Organizations are advised to hunt for indicators including specific IP addresses, suspicious host IDs, and MAC addresses. Palo Alto Networks recommends following security advisory guidance, implementing available workarounds, and upgrading to patched versions.