Find notable cyber news and cases, enriched with sources, timelines, and signals.

PAN-OS / Prisma Access GlobalProtect authentication bypass (CVE-2026-0257, actively exploited)

Vulnerability
First reported
Last updated
Happening score
H score 19
3 unique sources, 4 articles

Summary

Hide ▲

PAN-OS and Prisma Access are affected by CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway that can let attackers establish an unauthorized VPN connection. Palo Alto Networks said the flaw is under active exploitation in the wild, and Rapid7 reported successful exploitation against numerous customers starting May 17, 2026. The issue is especially risky for devices with authentication override cookies enabled and the relevant certificate configuration.

Related Happenings

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

FortiSandbox unauthenticated command injection (CVE-2026-25089)

Vulnerability
H score47 First: 16.06.2026 13:30 Last: 16.06.2026 13:30 Sources 1

About this happening: **CVE-2026-25089** is an **unauthenticated operating system command injection** in **FortiSandbox**-related products that was seen in **active exploitation** over the **past 24 ho...

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

How related: Palo Alto Networks is also urging customers to search GlobalProtect logs for successful gateway-connected events that match the following hard-coded client configuration values from a proof-of-concept (PoC) exploit -

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

CISA KEV order for FCEB remediation of CVE-2026-50751

Public Sector Action
H score43 First: 09.06.2026 11:18 Last: 09.06.2026 11:18 Sources 1

About this happening: **CISA** ordered **Federal Civilian Executive Branch** agencies to secure **CVE-2026-50751**, forcing a rapid federal response to a flaw that can let attackers bypass authenticati...

Timeline

  1. 30.05.2026 09:41 4 articles · 1mo ago

    Attackers begin exploiting CVE-2026-0257 against PAN-OS customers

    Exploitation Observed

    Rapid7 identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026. The activity is assessed to be the work of the same threat actor and shows CVE-2026-0257 being used against affected PAN-OS environments to gain unauthorized VPN access.

    Show sources
  2. 30.05.2026 09:41 2 articles · 1mo ago

    Second exploitation wave grants internal network access through VPN sessions

    Victim Impact Update

    A second exploitation wave on May 21, 2026 involved VPN IP assignment following cookie authentication in two cases, which granted the attacker access to the internal network. Rapid7 said no follow-on activity was observed in the customer environments where a VPN session was established.

    Show sources
  3. 13.05.2026 03:00 1 articles · 1mo ago

    Palo Alto Networks discloses PAN-OS and Prisma Access authentication bypass

    Initial Disclosure

    Palo Alto Networks released an advisory on May 13, 2026 for CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway of PAN-OS that can let an attacker bypass security restrictions and establish an unauthorized VPN connection. The issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists.

    Show sources