← Back to Cyber Intelligence News
Live Threat Intelligence API — Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY 🔴 1×KEV

CVE-2026-0257 in Palo Alto Networks PAN-OS GlobalProtect: CISA KEV-Listed Auth Bypass Under Active Exploitation

📅 May 31, 2026 🔴 Exploit Risk: 0.366 📊 Intelligence Score: 56/100 📰 2 sources synthesized
TL;DR — Read this first
CVE-2026-0257, a CISA KEV-listed authentication bypass in Palo Alto Networks PAN-OS GlobalProtect VPN, is under active exploitation as of 2026-05-29, with BleepingComputer and The Hacker News both confirming observed in-the-wild attacks.
Intelligence Metadata
First Reported Bythehackernews.com
Outbreak Velocity635 minutes to 2 unique domains
Consensus2 sources across 2 unique domains (thehackernews.com, bleepingcomputer.com)
CVSS ScoreNot available (no CVSS published in input)
EPSS Score0.41505 (~41.5th percentile probability of exploitation within 30 days)
CISA KEV StatusConfirmed (added 2026-05-29)
Exploit Risk Score0.366
Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-0257 is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS GlobalProtect VPN component. GlobalProtect is the standard remote-access VPN solution shipped across Palo Alto's next-generation firewall appliances, and the GlobalProtect portal/gateway interfaces are, by design, reachable from the public internet to serve remote workers. The vulnerability class — authentication bypass — indicates that the device fails to correctly enforce identity checks on at least one control-plane path, allowing a remote, unauthenticated actor to reach protected resources or session states that should require valid credentials.

The attack chain requires no prior credentials. The only meaningful precondition is network reachability of the GlobalProtect interface on TCP/443 (or any non-standard HTTPS port the administrator has re-mapped). Once reached, an attacker submits a crafted request that the vulnerable code path processes without performing the expected authentication step, granting the attacker a privileged session or direct access to internal network resources. Because the flaw is in the authentication layer rather than in a post-auth feature, the blast radius is effectively the full set of networks and services protected by the VPN tunnel.

Sources differ in their framing — The Hacker News frames this as a global, active exploitation campaign, while BleepingComputer emphasizes that attackers have weaponized the flaw — but both converge on the same operational conclusion: the vulnerability is in use against production GlobalProtect deployments as of late May 2026. No CVSS vector string has been published in the available intelligence; the KEV listing itself is the primary severity anchor.

Affected Systems

Vendor: Palo Alto Networks
Affected Versions:
  • PAN-OS with GlobalProtect portal/gateway enabled (specific vulnerable versions not available in input)
Exposure: Publicly facing — GlobalProtect portals are internet-reachable by design to support remote workforces.
Blast Radius: All organizations operating Palo Alto firewalls with GlobalProtect VPN enabled and exposed to the internet. Includes any internal network segments, cloud routes, and resources reachable through the VPN tunnel post-auth.

Intelligence Context

CVE-2026-0257 is a high-priority patch item despite the absence of a published CVSS score, for three converging signals. First, CISA added it to the Known Exploited Vulnerabilities catalog on 2026-05-29 — a CONFIRMED-tier data point that this is being exploited in the wild, which overrides the LOW vendor risk score of 0.02 (the vendor risk score reflects baseline Palo Alto exposure, not this specific CVE's exploitation probability). Second, the EPSS of 0.41505 places this vulnerability in roughly the 41st percentile of likelihood-to-be-exploited, which is unusually high for a vulnerability without a published CVSS — that score is being driven almost entirely by observed exploitation evidence feeding the EPSS model. Third, the race label is ZERO-DAY RACE, driven by the 2-day window since KEV addition; defenders are racing weaponized exploit code that is already in attacker hands.

For prioritization, this is a patch-immediately CVE for any organization with a GlobalProtect portal reachable from the public internet. The KEV designation also triggers BOD 22-01 obligations for U.S. federal agencies and contractual remediation timelines for many regulated enterprises. The low vendor risk score should be disregarded for this specific CVE; it is a portfolio-level metric, not an indicator of this flaw's severity.

Remediation & Defense

Patch immediately on internet-exposed GlobalProtect appliances; investigate all such appliances for indicators of compromise; treat any GlobalProtect session that cannot be correlated to an authenticated login event as suspicious.
Patch Status: Not available (specific patch version not in input; KEV listing implies vendor-supplied mitigation exists — confirm via Palo Alto Networks security advisory portal)
Patch Version: Not available in input — refer to Palo Alto Networks official advisory
Workarounds:
  • Restrict GlobalProtect portal/gateway access at the network layer to known IP ranges or corporate VPN-fronted proxies if business operations permit.
  • Enable and review GlobalProtect authentication, accounting, and system logs for sessions lacking expected pre-logon or credential artifacts.
  • If an emergency mitigation is not available, consider temporarily disabling the GlobalProtect portal while maintaining direct tunnel clients only — coordinate with change management.
Detection Hints:
  • GlobalProtect portal/gateway logs showing successful session establishment without a corresponding pre-logon or authentication event.
  • Anomalous source IPs, geolocations, or user-agents completing GlobalProtect handshakes that bypass the typical certificate/credential exchange sequence.
  • Sudden increase in GlobalProtect portal HTTPS requests from single sources or non-corporate IP ranges.
  • Outbound traffic from the firewall itself or from hosts receiving GlobalProtect-assigned IPs that is inconsistent with prior baselines.

Source Timeline

Frequently Asked Questions

Is CVE-2026-0257 actively exploited in the wild?

CONFIRMED. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on 2026-05-29, which is the highest-confidence evidence tier for in-the-wild exploitation. This is independently corroborated by The Hacker News and BleepingComputer, both reporting active attack campaigns against GlobalProtect deployments. The exploitation race label is ZERO-DAY RACE, meaning weaponized exploit code is already circulating.

Which products and versions are affected by CVE-2026-0257?

Palo Alto Networks PAN-OS devices with the GlobalProtect VPN portal/gateway feature enabled are affected. Specific vulnerable and fixed version strings are not available in the current intelligence input — confirm against the official Palo Alto Networks security advisory before applying patches.

How can I detect exploitation of CVE-2026-0257?

Hunt for GlobalProtect session establishment events that lack a corresponding pre-logon or authentication record, anomalous source IPs or geolocations completing GlobalProtect handshakes, spikes in portal HTTPS requests from single non-corporate sources, and post-VPN traffic from GlobalProtect-assigned IP pools that deviates from baseline. The vulnerability enables auth-bypass, so any successful session with no credential artifact is a primary indicator.

What are the CVSS and EPSS scores for CVE-2026-0257?

CVSS is not available in the current intelligence input — no published score has been provided. EPSS is 0.41505, placing exploitation probability in roughly the 41st percentile and serving as a strong prioritization signal even in the absence of CVSS. CISA KEV listing on 2026-05-29 is the primary severity anchor and should drive immediate remediation.

Is a patch available for CVE-2026-0257?

Specific patch version is not available in the current input. CISA KEV listings require a vendor-supplied remediation, so a patch is expected to exist — confirm the fixed version directly from Palo Alto Networks' official security advisory portal. Until the exact version is verified, network-layer restriction of GlobalProtect portal access is the recommended emergency mitigation.

CVE-2026-0257 palo-alto-networks pan-os globalprotect auth-bypass vpn kev zero-day-race active-exploitation