What happened
Palo Alto Networks Unit 42 warned that a critical authentication bypass vulnerability affecting GlobalProtect portal and gateway components in PAN-OS is being actively exploited in the wild.
The vulnerability, tracked as CVE-2026-0257, allows unauthenticated remote attackers to bypass security controls and initiate unauthorized VPN connections without credentials.
CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, confirming active exploitation.
Unit 42 researchers identified an unidentified threat actor actively probing GlobalProtect-enabled devices. The attacker successfully probed a broad set of targets, but only a small portion of those attempts resulted in actual VPN sessions and gateway-connected events.
No post-access behavior, lateral movement, or data exfiltration has been confirmed at this time.
Organizations are urged to review GlobalProtect logs for indicators of compromise and activate incident response protocols for any successful gateway-connected events tied to the listed indicators.
Palo Alto Networks advised organizations to review the official security advisory, apply available workarounds, or upgrade to a patched PAN-OS version.
Who is affected
Organizations using affected Palo Alto Networks GlobalProtect portal and gateway components in PAN-OS are affected.
The highest-risk organizations are those with GlobalProtect-enabled devices exposed to the internet, especially where logs show successful VPN gateway-connected events tied to the reported indicators.
Because the flaw allows unauthorized VPN connections without credentials, affected organizations may face risk of perimeter bypass and unauthorized access to protected environments.
Why CISOs should care
This vulnerability affects VPN infrastructure, which often sits at the edge of enterprise environments and provides access into internal systems. An authentication bypass in a VPN portal or gateway can create serious exposure because attackers may be able to initiate connections without valid credentials.
The active exploitation also raises the urgency. Unit 42 observed broad probing of GlobalProtect-enabled devices, and CISA added the flaw to the Known Exploited Vulnerabilities catalog. Even though only a small portion of targets resulted in successful VPN sessions, organizations should treat any gateway-connected event tied to the indicators as a potential incident.
The lack of confirmed lateral movement or data exfiltration should not lead to complacency. Unauthorized VPN access can be an entry point for follow-on activity, and the article emphasizes that organizations should hunt logs and activate incident response where successful connections are found.
3 practical actions
- Review GlobalProtect logs for successful unauthorized connections: Unit 42 identified active probing of GlobalProtect-enabled devices, with some attempts resulting in gateway-connected events. Security teams should hunt for suspicious successful VPN connections tied to the reported indicators and investigate any matching activity.
- Apply available workarounds or upgrade to a patched PAN-OS version: Palo Alto Networks advised organizations to review its security advisory, apply workarounds, or upgrade affected systems. CISOs should prioritize remediation for internet-facing GlobalProtect portals and gateways.
- Treat successful gateway-connected events as potential incidents: No post-access activity, lateral movement, or data exfiltration has been confirmed, but unauthorized VPN access can create a path into internal environments. Organizations should activate incident response protocols for any confirmed gateway-connected events linked to exploitation.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.