TP-EXP-2026-0311 CVE-2026-0257 high Active Exploitation AI Draft

Palo Alto Networks PAN-OS Authentication Bypass (CVE-2026-0257)

CVE CVE-2026-0257 Platform Palo Alto Networks PAN-OS Type Authentication Bypass

Severity HIGH

Status Active Exploitation

Zero-Day Confirmed

Disclosed May 13, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 9/10 — KEV listing and active exploitation indicate practical offensive use and meaningful operational exposure.
Impact: 8/10 — Unauthorized VPN sessions can bypass normal access controls and expose protected network resources.
Weaponization Risk: 8/10 — Exploitable authentication bypass on remote access infrastructure presents scalable risk.
Patch Urgency: 9/10 — CISA’s KEV status and required remediation timeline demand immediate response.
Detection Coverage: 6/10 — Detection depends on visibility into authentication and session telemetry across GlobalProtect.

Summary

CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect portal and gateway components. According to the vendor and U.S. government sources, the issue can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection.

This vulnerability is explicitly outside Panorama and Cloud NGFW in NVD scope text.

Exploit Chain

Stage 1: Exposure of GlobalProtect endpoint

An attacker identifies a vulnerable GlobalProtect portal/gateway endpoint.

Stage 2: Authentication bypass

The authentication bypass on the endpoint can allow an untrusted client to establish a session despite restrictions.

Stage 3: Unauthorized VPN session use

Successful bypass may permit unauthorized VPN access and downstream lateral activity through existing network policy paths.

Detection Guidance

Flag unusual or unauthorized GlobalProtect portal/gateway logins.
Monitor for unexpected or high-volume VPN session creation outside known maintenance windows.
Alert on authentication anomalies, repeated login failures followed by success, and unusual client attributes.
Correlate session-level changes with sensitive asset access following new GlobalProtect session establishment.
Reduce public exposure of GlobalProtect portals and apply vendor guidance immediately.

Indicators of Compromise

No stable IOCs are published in the available source documents.

Operational indicators to monitor:

Spikes in GlobalProtect authentication and session-creation behavior from unusual source networks.
New high-risk VPN sessions from unknown geography or unapproved clients.
Policy changes or session attribute shifts immediately following successful portal authentication events.

Disclosure Timeline

2026-05-13: NVD Publication National Vulnerability Database published initial CVE-2026-0257 details.
2026-05-29: CISA KEV Addition Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog.
2026-06-01: Remediation Deadline Cybersecurity and Infrastructure Security Agency listed this date as the remediation action deadline in the KEV catalog entry.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-29
National Vulnerability Database: CVE-2026-0257 — National Vulnerability Database, 2026-05-13
Palo Alto Networks PSIRT: CVE-2026-0257 Advisory — Palo Alto Networks PSIRT, 2026-05-29