Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Description

An unidentified threat actor is actively exploiting CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect portal and gateway components. The flaw allows unauthorized attackers to circumvent security controls and initiate VPN connections. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog on May 29, 2026. Exploitation activity has been detected targeting GlobalProtect, with a small portion of probed devices successfully establishing VPN sessions. No post-access behavior or lateral movement has been identified. Organizations are advised to hunt for indicators including specific IP addresses, suspicious host IDs, and MAC addresses. Palo Alto Networks recommends following security advisory guidance, implementing available workarounds, and upgrading to patched versions.