CVE-2026-0257 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-13

Added to CISA KEV: 2026-05-29 16 DAYS BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 135k+ internet-facing instances →
Query: http.title:"GlobalProtect Portal" View on Shodan ↗
May not capture all PAN-OS instances as some deployments use custom titles or may not expose the GlobalProtect portal interface externally
Checked: 2026-06-04

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review VPN logs for unauthorized connections, check for suspicious authentication patterns, verify user session legitimacy
Immediately apply vendor patches per upgrade matrix or implement workarounds (disable authentication override cookies or use dedicated certificates)
Monitor GlobalProtect logs for unusual connection patterns, failed authentication attempts, or connections from unexpected geographic locations
Patch priority: CRITICAL - Apply immediately due to confirmed exploitation and internet-facing exposure

🔍 Web Intelligence (Kagi · 2026-05-30)

CVE-2026-0257 is a medium-severity authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS software and Prisma Access ^[1] ^[3].

Here is the current status of the vulnerability based on available information:

Exploitation and Impact

Active Exploitation: There is confirmed evidence of active exploitation in the wild ^[2] ^[4]. Palo Alto Networks has acknowledged "limited exploit attempts" on unpatched devices that do not have specific mitigations applied ^[1].
Internet-Facing Exposure: The vulnerability affects the GlobalProtect portal and gateway, which are typically internet-facing components used for VPN access ^[1].
Attack Vectors: A remote, unauthenticated attacker can exploit this vulnerability to bypass security restrictions and establish an unauthorized VPN connection to the affected network ^[1] ^[3].
Technical Details: The vulnerability is classified as CWE-565 (Use of Insecure or Untrusted Control Flow) ^[3]. It requires a specific configuration to be present on the target device to be exploitable ^[2]. Publicly available proof-of-concept (PoC) scripts exist for testing purposes ^[4].
Targeted Attacks: While active exploitation has been observed, there is currently no specific public reporting detailing its use in advanced, targeted campaigns (e.g., by specific APT groups).

CISA KEV Status

As of May 30, 2026, CVE-2026-0257 is not explicitly highlighted in the provided search results as being added to the CISA Known Exploited Vulnerabilities (KEV) catalog, though it is actively being exploited in the wild. Organizations should consult the official [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for the most up-to-date status.

Recommendations

Patching/Mitigation: Palo Alto Networks has released security advisories and guidance for this vulnerability. Organizations using PAN-OS or Prisma Access should verify their exposure and apply the recommended patches or mitigations provided by the vendor ^[1].
Assessment: Security teams can use authenticated vulnerability scanners (such as those provided by Rapid7) to assess whether their specific device configurations are susceptible to this vulnerability ^[2].

Sources

CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
Palo Alto Networks Security Advisory: CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an un…
Rapid7 Observed Exploitation of PAN-OS GlobalProtect ...
Rapid7 MDR has observed active exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability CVE-2026-0257. ... Vulnerabilities and Exploits. Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257).Exposure Command, InsightVM, and Nexpose c…
CVE-2026-0257 - Vulnerability Details - OpenCVE
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues. ... CVE-2026-0257 - PAN-OS:…
CVE-2026-0257 - Exploits & Severity - Feedly
Threat Intelligence Report CVE-2026-0257 is a medium severity authentication bypass vulnerability in PAN-OS and Prisma Access, allowing remote unauthenticated attackers to establish VPN connections via the GlobalProtect gateway under specific configurations. Rapid7 MDR confirmed exploitation of this…