CVE-2026-0257 in Palo Alto Networks PAN-OS: Actively Exploited Authentication Bypass Added to CISA KEV

📅 May 31, 2026 🔴 Exploit Risk: 0.366 📊 Intelligence Score: 56/100 📰 2 sources synthesized

TL;DR — Read this first

An authentication bypass vulnerability, CVE-2026-0257, affects the GlobalProtect feature in Palo Alto Networks PAN-OS.
CONFIRMED active exploitation in the wild has led to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Immediate investigation of exposed assets for signs of compromise is required. Patching should be prioritized as soon as a fix is released by the vendor.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity635 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS ScoreNot available

EPSS Score0.41505 (90.6th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.3660

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-0257 is an authentication bypass vulnerability within the GlobalProtect VPN functionality of Palo Alto Networks' PAN-OS. The specific technical mechanism of the flaw has not been detailed in the available intelligence. However, the vulnerability class implies that an unauthenticated, remote attacker can circumvent authentication controls on an exposed GlobalProtect interface.

A successful exploit would likely grant the attacker access to the internal network resources that the VPN is configured to protect. This represents a critical failure of a primary network security boundary, allowing an external threat actor to establish an initial foothold within the target environment without credentials.

Affected Systems

Vendor: Palo Alto Networks

Affected Versions:

PAN-OS (GlobalProtect feature)

Exposure: Publicly facing GlobalProtect VPN gateways.

Blast Radius: High. Includes all organizations utilizing Palo Alto Networks firewalls with the GlobalProtect feature exposed to the internet. The exact range of affected PAN-OS versions has not been specified in the available intelligence.

Intelligence Context

The addition of CVE-2026-0257 to the CISA KEV catalog is the primary driver for prioritization. This serves as CONFIRMED evidence of in-the-wild exploitation. The high EPSS score of 0.41505 further substantiates the immediate risk, predicting a greater than 40% chance of exploitation activity within the next 30 days. The 'ZERO-DAY RACE' label indicates that attackers began exploiting the vulnerability before or concurrently with its public disclosure, leaving defenders with no time to prepare. Despite the lack of a CVSS score and a low vendor risk score, the combination of KEV status and active exploitation makes this a critical threat requiring immediate attention.

Remediation & Defense

Investigate exposed assets immediately for signs of compromise. Apply patches as soon as they are released by the vendor.

Patch Status: Not available

Patch Version: Not available. Monitor Palo Alto Networks security advisories for an official patch.

Workarounds:

No specific workarounds have been provided. Consider restricting access to the GlobalProtect interface to trusted IP addresses if operationally feasible, pending a patch.

Detection Hints:

Monitor firewall and VPN logs for anomalous authentication patterns, such as successful logins without corresponding authentication attempts or connections from unexpected geographic locations.
Investigate for any unauthorized user accounts or unexpected internal network activity originating from the VPN user subnet.

Source Timeline

thehackernews.com — First reporter
bleepingcomputer.com — Corroborating source
cisa.gov/known-exploited-vulnerabilities-catalog — Official exploitation confirmation

CVE-2026-0257 Palo Alto Networks PAN-OS GlobalProtect auth-bypass kev zero-day