CVE-2026-0257 PAN-OS Vulnerability Actively Exploited Days After Disclosure, Prompting Urgent Global Patching Alerts

Palo Alto Networks PAN-OS Vulnerability Exploited Days After Disclosure, CISA Flags Active Attacks

Security researchers have confirmed that a high-severity authentication bypass vulnerability in Palo Alto Networks’ PAN-OS software has been actively exploited in the wild just days after its public disclosure.

The flaw, tracked as CVE-2026-0257 with a CVSS score of 7.8, affects the GlobalProtect portal and gateway components. It allows attackers to bypass authentication controls and establish VPN connections to vulnerable systems under certain configurations.

Rapid exploitation after disclosure

Palo Alto Networks released security patches for the vulnerability on May 13. However, exploitation attempts were observed as early as May 17—only four days after disclosure—according to cybersecurity firm Rapid7.

On May 21, attackers reportedly launched a second wave of exploitation attempts, using different hosting providers including Vultr and Dromatics Systems.

Attack technique and impact

Investigators observed suspicious cookie-based authentication attempts targeting local admin accounts across multiple customer environments. In several cases, these forged cookies allowed attackers to bypass authentication checks.

Once successful, exploitation in some environments resulted in VPN IP assignment, granting attackers access to internal networks. However, researchers noted inconsistent behavior, with VPN sessions not always fully established even when authentication bypass succeeded.

In most observed cases, malicious cookies were accepted without completing a full VPN session, suggesting partial or selective exploitation outcomes.

Government and industry response

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch the flaw immediately.

Palo Alto Networks also updated its advisory, confirming limited exploitation attempts against unpatched devices without mitigation measures applied. The vulnerability has been rated critical by the National Institute of Standards and Technology (NIST).

Affected products and mitigation

The vulnerability impacts PAN-OS systems with GlobalProtect portal or gateway enabled under specific configurations. Affected versions include PAN-OS 12.1, 11.2, 11.1, and 10.2, as well as Prisma Access versions 11.2.0 and 10.2.0.

Security updates have been released, and organizations are strongly advised to apply patches immediately.

Security guidance

Rapid7 has also published a proof-of-concept script to help organizations identify vulnerable systems and released indicators of compromise to assist defenders in detecting potential intrusions.

Researchers warn that the rapid exploitation of CVE-2026-0257 highlights the increasing speed at which attackers weaponize newly disclosed vulnerabilities, emphasizing the importance of immediate patching for internet-facing security infrastructure.