VULNERABILITY 🔴 1×KEV
CVE-2026-0257, a CISA KEV-listed authentication bypass in Palo Alto Networks PAN-OS GlobalProtect VPN, is under active exploitation as of 2026-05-29, with BleepingComputer and The Hacker News both confirming observed in-the-wild attacks.
CVE-2026-0257 is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS GlobalProtect VPN component. GlobalProtect is the standard remote-access VPN solution shipped across Palo Alto's next-generation firewall appliances, and the GlobalProtect portal/gateway interfaces are, by design, reachable from the public internet to serve remote workers. The vulnerability class — authentication bypass — indicates that the device fails to correctly enforce identity checks on at least one control-plane path, allowing a remote, unauthenticated actor to reach protected resources or session states that should require valid credentials.
The attack chain requires no prior credentials. The only meaningful precondition is network reachability of the GlobalProtect interface on TCP/443 (or any non-standard HTTPS port the administrator has re-mapped). Once reached, an attacker submits a crafted request that the vulnerable code path processes without performing the expected authentication step, granting the attacker a privileged session or direct access to internal network resources. Because the flaw is in the authentication layer rather than in a post-auth feature, the blast radius is effectively the full set of networks and services protected by the VPN tunnel.
Sources differ in their framing — The Hacker News frames this as a global, active exploitation campaign, while BleepingComputer emphasizes that attackers have weaponized the flaw — but both converge on the same operational conclusion: the vulnerability is in use against production GlobalProtect deployments as of late May 2026. No CVSS vector string has been published in the available intelligence; the KEV listing itself is the primary severity anchor.
CVE-2026-0257 is a high-priority patch item despite the absence of a published CVSS score, for three converging signals. First, CISA added it to the Known Exploited Vulnerabilities catalog on 2026-05-29 — a CONFIRMED-tier data point that this is being exploited in the wild, which overrides the LOW vendor risk score of 0.02 (the vendor risk score reflects baseline Palo Alto exposure, not this specific CVE's exploitation probability). Second, the EPSS of 0.41505 places this vulnerability in roughly the 41st percentile of likelihood-to-be-exploited, which is unusually high for a vulnerability without a published CVSS — that score is being driven almost entirely by observed exploitation evidence feeding the EPSS model. Third, the race label is ZERO-DAY RACE, driven by the 2-day window since KEV addition; defenders are racing weaponized exploit code that is already in attacker hands.
For prioritization, this is a patch-immediately CVE for any organization with a GlobalProtect portal reachable from the public internet. The KEV designation also triggers BOD 22-01 obligations for U.S. federal agencies and contractual remediation timelines for many regulated enterprises. The low vendor risk score should be disregarded for this specific CVE; it is a portfolio-level metric, not an indicator of this flaw's severity.
CONFIRMED. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on 2026-05-29, which is the highest-confidence evidence tier for in-the-wild exploitation. This is independently corroborated by The Hacker News and BleepingComputer, both reporting active attack campaigns against GlobalProtect deployments. The exploitation race label is ZERO-DAY RACE, meaning weaponized exploit code is already circulating.
Palo Alto Networks PAN-OS devices with the GlobalProtect VPN portal/gateway feature enabled are affected. Specific vulnerable and fixed version strings are not available in the current intelligence input — confirm against the official Palo Alto Networks security advisory before applying patches.
Hunt for GlobalProtect session establishment events that lack a corresponding pre-logon or authentication record, anomalous source IPs or geolocations completing GlobalProtect handshakes, spikes in portal HTTPS requests from single non-corporate sources, and post-VPN traffic from GlobalProtect-assigned IP pools that deviates from baseline. The vulnerability enables auth-bypass, so any successful session with no credential artifact is a primary indicator.
CVSS is not available in the current intelligence input — no published score has been provided. EPSS is 0.41505, placing exploitation probability in roughly the 41st percentile and serving as a strong prioritization signal even in the absence of CVSS. CISA KEV listing on 2026-05-29 is the primary severity anchor and should drive immediate remediation.
Specific patch version is not available in the current input. CISA KEV listings require a vendor-supplied remediation, so a patch is expected to exist — confirm the fixed version directly from Palo Alto Networks' official security advisory portal. Until the exact version is verified, network-layer restriction of GlobalProtect portal access is the recommended emergency mitigation.