Palo Alto Warns of Active Exploitation
Overview Palo Alto Networks has confirmed active exploitation of a recently disclosed PAN‑OS vulnerability — CVE‑2026‑0257 — that allows unauthorized access to GlobalProtect VPN portals. The flaw, rated CVSS 7.8, is an authentication bypass affecting the portal and gateway components of PAN‑OS. Attackers can leverage it to initiate VPN connections without valid credentials, bypassing security controls entirely. Vulnerability Details Attribute Description CVE ID CVE‑2026‑0257 Severity CVSS 7.8 – High Type Authentication Bypass Affected Components GlobalProtect Portal and Gateway First Observed Exploitation May 17, 2026 Threat Actor Unknown (under investigation) The vulnerability permits attackers to set up unauthorized VPN sessions and gain gateway‑level access. While the scope of exploitation remains limited, the activity marks a serious risk for organizations running unpatched PAN‑OS instances. Exploitation Activity Palo Alto Networks observed probing and connection attempts against GlobalProtect portals beginning mid‑May. Only a small portion of devices established VPN sessions, and no lateral movement or post‑access behavior has been detected so far. “Only a small portion of the probed devices actually established VPN sessions, resulting in gateway‑connected events,” the company noted. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE‑2026‑0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to mitigate the flaw by June 1, 2026. Indicators of Compromise (IoCs) Organizations should review GlobalProtect logs for gateway‑connected events matching the following hard‑coded client configuration values from a PoC exploit: Parameter […]