CVE-2026-0257: Active Exploitation Confirmed for GlobalProtect Authentication Bypass
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257 affecting PAN-OS GlobalProtect. CISA has added the vulnerability to its Known Exploited V…
Palo Alto Networks updated its advisory for CVE-2026-0257 on May 29, 2026, confirming exploit attempts against unpatched PAN-OS devices. On the same day, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This follows the initial May 13 advisory and subsequent activity detected in May 2026.
- CVE-2026-0257 is an authentication bypass in the PAN-OS GlobalProtect portal and gateway, carrying a CVSS score of 7.8.
- Palo Alto Networks released the original advisory on May 13, 2026; the May 29 update confirms exploitation on unpatched appliances.
- CISA cataloged the flaw as exploited in-the-wild on May 29, 2026.
Timeline
Palo Alto Networks published the advisory on May 13, 2026. By May 17 and May 21, activity was detected involving the vulnerability. On May 29, the vendor updated the advisory to confirm exploitation, and CISA issued the KEV entry.
Remediation and Mitigation
- Verify the presence of affected PAN-OS GlobalProtect portal or gateway versions: 12.1.x prior to 12.1.4-h6 or 12.1.7; 11.2.x prior to 11.2.12; 11.1.x prior to 11.1.15; and 10.2.x prior to 10.2.18-h6. For Prisma Access, 11.2.0 requires 11.2.7-h13 or later, and 10.2.0 requires 10.2.10-h36 or later.
- Apply patches specified in the official release notes.
- If an update is not immediately feasible, disable "authentication override" via the path documented in the vendor advisory: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override tab.
- Generate a new dedicated certificate for authentication override if the feature must remain active, as an alternative mitigation provided by Palo Alto Networks.
- Monitor logs for suspicious connections using documented indicators, including specific MAC addresses and machine names associated with the activity waves.
Sources
- https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
- https://cybersecuritynews.com/palo-alto-vulnerability-exploited/
- https://www.flyingpenguin.com/palo-alto-defenders-guide-refutes-mythos-claim/
- https://unit42.paloaltonetworks.com/captive-portal-zero-day/
- https://security.paloaltonetworks.com/CVE-2026-0257
- https://security.paloaltonetworks.com/csv
- https://security.paloaltonetworks.com/CVE-2026-0300
- https://security.paloaltonetworks.com/CVE-2026-0262
- https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Information has been verified against cited sources and is current as of the time of publication.