Palo Alto Confirms Active Exploitation of GlobalProtect VPN Auth Bypass — CVE-2026-0257

What Happened

Palo Alto Networks has confirmed that an unknown threat actor is actively exploiting CVE-2026-0257, a high-severity authentication bypass vulnerability in PAN-OS affecting GlobalProtect VPN portals. The flaw carries a CVSS score of 7.8. Palo Alto's own disclosure uses the phrase "active exploitation" — meaning this is not a theoretical risk or a researcher proof-of-concept. Attackers are using it right now to gain unauthorized access to GlobalProtect portals in production environments.

Why It Matters

GlobalProtect is one of the most widely deployed enterprise VPN solutions in the world. An authentication bypass at the portal level is about as bad as it gets for perimeter infrastructure: an attacker who clears the gate lands inside the network with established trust, often with access to internal routing, DNS, and segmentation that assumes VPN users are legitimate.

VPN authentication flaws in this class of product have a well-documented post-disclosure lifecycle: weaponized exploit code circulates within hours, ransomware operators and state-sponsored groups race to mass-scan for unpatched instances, and initial-access brokers begin selling footholds before most IT teams have even read the advisory. The fact that Palo Alto is calling out active exploitation at disclosure time means you are not ahead of the attackers — you are catching up to them.

Any organization with a GlobalProtect portal exposed to the internet should treat this as an emergency until patched or mitigated.

What To Do

Patch first. Consult the Palo Alto Networks advisory for CVE-2026-0257 for exact affected PAN-OS versions and the patched releases. Push the update to every GlobalProtect gateway and portal. Do not wait for a scheduled maintenance window.

If you cannot patch immediately, restrict access. Apply network-layer ACLs or geo-restrictions to the GlobalProtect portal interface to limit who can reach it while you prepare the patch. This reduces exposure but is not a substitute.

Update Threat Prevention content. Palo Alto typically releases detection signatures alongside advisories. Ensure Threat Prevention is active and content packages are current on all affected devices.

Hunt for compromise. If your portal was internet-facing in the days before this advisory, assume it may have been probed or accessed. Pull GlobalProtect authentication logs and look for sessions from unexpected source IPs, authentication events with no corresponding MFA prompt, or sessions that succeeded but map to no known user device. Extend your lookback at least 30 days.

Watch for lateral movement. If you find suspicious VPN sessions, pivot to internal logs: VPN-assigned IP ranges hitting internal systems, unusual DNS queries, or new outbound connections from endpoints that connected over VPN. Treat any confirmed unauthorized session as a full incident.

This is a drop-everything patch. Authentication bypasses in perimeter VPN infrastructure under active exploitation do not improve with time.