PAN-OS / Prisma Access GlobalProtect authentication bypass (CVE-2026-0257, actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
PAN-OS and Prisma Access are affected by CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway that can let attackers establish an unauthorized VPN connection. Palo Alto Networks said the flaw is under active exploitation in the wild, and Rapid7 reported successful exploitation against numerous customers starting May 17, 2026. The issue is especially risky for devices with authentication override cookies enabled and the relevant certificate configuration.
Related Happenings
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
FortiSandbox unauthenticated command injection (CVE-2026-25089)
Vulnerability
H score47
First: 16.06.2026 13:30
Last: 16.06.2026 13:30
Sources 1
About this happening:
**CVE-2026-25089** is an **unauthenticated operating system command injection** in **FortiSandbox**-related products that was seen in **active exploitation** over the **past 24 ho...
FortiSandbox unauthenticated command injection (CVE-2026-25089)
VulnerabilityAbout this happening: **CVE-2026-25089** is an **unauthenticated operating system command injection** in **FortiSandbox**-related products that was seen in **active exploitation** over the **past 24 ho...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
How related:
Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit -
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationHow related: Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit -
About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
CISA KEV order for FCEB remediation of CVE-2026-50751
Public Sector Action
H score43
First: 09.06.2026 11:18
Last: 09.06.2026 11:18
Sources 1
About this happening:
**CISA** ordered **Federal Civilian Executive Branch** agencies to secure **CVE-2026-50751**, forcing a rapid federal response to a flaw that can let attackers bypass authenticati...
CISA KEV order for FCEB remediation of CVE-2026-50751
Public Sector ActionAbout this happening: **CISA** ordered **Federal Civilian Executive Branch** agencies to secure **CVE-2026-50751**, forcing a rapid federal response to a flaw that can let attackers bypass authenticati...
Timeline
-
30.05.2026 09:41 4 articles · 1mo ago
Attackers begin exploiting CVE-2026-0257 against PAN-OS customers
Exploitation ObservedRapid7 identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026. The activity is assessed to be the work of the same threat actor and shows CVE-2026-0257 being used against affected PAN-OS environments to gain unauthorized VPN access.
Show sources
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — thehackernews.com — 30.05.2026 09:41
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — thehackernews.com — 30.05.2026 09:41
- Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks — www.bleepingcomputer.com — 30.05.2026 21:02
- Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw — thehackernews.com — 15.06.2026 09:17
-
30.05.2026 09:41 2 articles · 1mo ago
Second exploitation wave grants internal network access through VPN sessions
Victim Impact UpdateA second exploitation wave on May 21, 2026 involved VPN IP assignment following cookie authentication in two cases, which granted the attacker access to the internal network. Rapid7 said no follow-on activity was observed in the customer environments where a VPN session was established.
Show sources
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — thehackernews.com — 30.05.2026 09:41
- Palo Alto Warns High-Severity Bug Is Being Actively Exploited — www.infosecurity-magazine.com — 01.06.2026 11:30
-
13.05.2026 03:00 1 articles · 1mo ago
Palo Alto Networks discloses PAN-OS and Prisma Access authentication bypass
Initial DisclosurePalo Alto Networks released an advisory on May 13, 2026 for CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway of PAN-OS that can let an attacker bypass security restrictions and establish an unauthorized VPN connection. The issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists.
Show sources
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — thehackernews.com — 30.05.2026 09:41