PAN-OS GlobalProtect Under Active Attack

A critical authentication bypass vulnerability (CVE-2026-0257) in Palo Alto Networks’ PAN-OS GlobalProtect gateway is being actively exploited in the wild. The flaw allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to protected networks. Organizations running affected PAN-OS versions must apply emergency patches immediately, as proof-of-concept exploits are circulating and threat actors are conducting widespread scanning for vulnerable instances.

Introduction

Palo Alto Networks has issued an emergency security advisory for CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect gateway component of PAN-OS. With a CVSS score of 9.8, this vulnerability represents one of the most severe security flaws discovered in enterprise VPN infrastructure this year. The vulnerability enables remote, unauthenticated attackers to completely bypass authentication controls and establish unauthorized VPN connections to corporate networks.

Security researchers have confirmed active exploitation attempts targeting internet-exposed GlobalProtect gateways, with attack volume escalating rapidly following public disclosure. Organizations relying on Palo Alto Networks firewalls for secure remote access face immediate risk of network compromise, data exfiltration, and lateral movement by sophisticated threat actors.

Background & Context

GlobalProtect serves as Palo Alto Networks’ enterprise VPN solution, providing secure remote access for millions of users across government agencies, Fortune 500 companies, and critical infrastructure organizations worldwide. The platform implements SSL/TLS-based VPN connectivity with integrated security features including multi-factor authentication, endpoint compliance checks, and advanced threat prevention.

CVE-2026-0257 was initially discovered during a routine security audit by an external research team and responsibly disclosed to Palo Alto Networks in early 2025. The vulnerability affects the authentication workflow within the GlobalProtect gateway’s portal and gateway components, specifically targeting the pre-authentication phase of connection establishment.

The flaw impacts PAN-OS versions:

• PAN-OS 11.0.x (versions prior to 11.0.5)
• PAN-OS 10.2.x (versions prior to 10.2.10)
• PAN-OS 10.1.x (versions prior to 10.1.14)

Notably, Cloud NGFW and Prisma Access deployments are NOT affected by this vulnerability, as they utilize different authentication architectures.

Technical Breakdown

The vulnerability exists within the GlobalProtect gateway’s authentication validation logic, specifically in how the system processes specially crafted authentication requests during the initial connection handshake. The flaw stems from improper input validation and insufficient boundary checks when parsing authentication parameters.

An attacker can exploit this vulnerability by sending a malformed authentication request containing carefully crafted HTTP headers and parameters to the GlobalProtect portal or gateway interface. The vulnerable code path fails to properly validate these inputs, allowing attackers to manipulate the authentication state machine.

The exploitation sequence follows this pattern:

POST /ssl-vpn/login.esp HTTP/1.1
Host: [target-firewall]
Content-Type: application/x-www-form-urlencoded
Content-Length: [calculated]

user=[crafted-payload]&passwd=[bypass-string]&ok=Login&direct=yes&clientVer=4.1.0&prot=https:

By injecting specific control characters and escape sequences within the authentication parameters, attackers can trigger a logic error that causes the authentication module to incorrectly validate the session as authenticated. This grants the attacker a valid GlobalProtect session token without providing legitimate credentials.

The vulnerability’s severity is amplified by several factors:

• Pre-authentication exploitation – No credentials required
• Remote exploitation – Accessible from the internet
• Low complexity – Exploitation requires minimal technical skill
• Reliable exploitation – Success rate exceeds 95% on vulnerable systems

Once authentication is bypassed, attackers receive full VPN access equivalent to a legitimate authenticated user, including access to internal network segments, resources, and systems based on the default or assigned gateway configuration.

Impact & Risk Assessment

The exploitation of CVE-2026-0257 presents catastrophic risk to affected organizations. Successful attacks enable threat actors to establish a foothold within the corporate network perimeter, effectively neutralizing the security boundary that VPN infrastructure is designed to protect.

Immediate Impacts:

• Unauthorized Network Access: Attackers gain direct access to internal network segments, bypassing all perimeter security controls
• Lateral Movement: Compromised VPN access serves as a launching point for reconnaissance and lateral movement across the enterprise
• Data Exfiltration: Direct access to file shares, databases, and application servers enables large-scale data theft
• Credential Harvesting: Attackers can deploy credential capture tools to compromise additional accounts

Secondary Risks:

Organizations in critical infrastructure sectors (energy, healthcare, finance, government) face elevated risk due to the potential for operational disruption and regulatory compliance violations. The vulnerability’s exploitation could facilitate ransomware deployment, espionage operations, or supply chain compromise.

Threat intelligence indicates that both opportunistic cybercriminal groups and advanced persistent threat (APT) actors are actively scanning for vulnerable GlobalProtect instances. Shodan and Censys scanning data reveals over 45,000 potentially vulnerable PAN-OS instances exposed to the internet globally.

Vendor Response

Palo Alto Networks released emergency security patches within 72 hours of confirming active exploitation. The vendor has issued hotfixes for all affected PAN-OS versions and strongly recommends immediate deployment.

Available Patches:

• PAN-OS 11.0.5 and later
• PAN-OS 10.2.10 and later
• PAN-OS 10.1.14 and later

Palo Alto Networks has published detailed upgrade guides and established a dedicated support channel for organizations requiring emergency patching assistance. The vendor has also released indicators of compromise (IOCs) and detection signatures for Threat Prevention subscribers.

In their official advisory, Palo Alto Networks stated: “We are actively monitoring exploitation attempts and working closely with affected customers to ensure rapid remediation. Organizations should prioritize patching of internet-facing GlobalProtect gateways above all other maintenance activities.”

Mitigations & Workarounds

For organizations unable to immediately deploy patches, Palo Alto Networks recommends implementing the following temporary mitigations:

Primary Mitigation – Restrict Access:

# Configure allowed IP ranges for GlobalProtect portal access
set deviceconfig system permitted-ip 

Implement Additional Authentication Controls:

• Enable certificate-based authentication as a pre-authentication requirement
• Deploy multi-factor authentication for all VPN connections
• Restrict GlobalProtect access to known IP ranges via firewall policies

Network Segmentation:

# Create restricted security zone for VPN users
set zone vpn-users network layer3
set zone vpn-users enable-user-identification yes

Isolate GlobalProtect users into a dedicated security zone with strict egress filtering and micro-segmentation policies until patching is complete.

Emergency Workaround:

Organizations can temporarily disable the GlobalProtect portal/gateway and implement alternative remote access solutions (such as clientless VPN or jump hosts) until patching can be completed. This represents significant operational disruption but eliminates exposure to CVE-2026-0257.

Detection & Monitoring

Organizations should implement comprehensive monitoring to detect potential exploitation attempts and successful compromises.

Log Analysis Indicators:

# Check for authentication bypass patterns in system logs
grep "authd" /var/log/pan/authd.log | grep -E "(bypass|anomaly|invalid_state)"

Detection Signatures:

Monitor for the following indicators in GlobalProtect logs:

• Authentication success without corresponding credential validation events
• Unusual authentication timing (sub-second authentication completion)
• Authentication requests containing abnormal special characters
• Multiple rapid authentication attempts from single source IPs

SIEM Correlation Rules:

rule: CVE-2026-0257_Exploitation_Attempt
condition:
  - event.type: "globalprotect_auth"
  - event.status: "success"
  - NOT EXISTS: event.credential_validation
  - event.duration: < 1000ms
severity: CRITICAL

Organizations using Palo Alto Networks Threat Prevention subscriptions should update to the latest threat signature database, which includes specific detection for CVE-2026-0257 exploitation attempts (Threat ID 95847).

Best Practices

Beyond immediate remediation, organizations should implement comprehensive security hardening for VPN infrastructure:

Architecture Security:

• Never expose management interfaces directly to the internet
• Implement dedicated management VLANs with strict access controls
• Deploy VPN gateways in DMZ segments with minimal trust relationships
• Require certificate-based authentication in addition to credentials

Operational Security:

# Enable comprehensive logging
set deviceconfig system logging logging-level high
set deviceconfig system logging log-export-schedule recurring every-hour

# Configure syslog forwarding to SIEM
set shared log-settings syslog [siem-server] server [ip-address] facility LOG_USER

Vulnerability Management:

• Subscribe to vendor security advisories and threat intelligence feeds
• Implement automated patch testing and deployment pipelines
• Maintain asset inventory of all internet-facing security infrastructure
• Conduct quarterly external vulnerability assessments

Access Control:

• Implement principle of least privilege for VPN access policies
• Regularly audit and recertify VPN user access rights
• Deploy network access control (NAC) for endpoint compliance verification
• Enable session timeout and idle disconnect policies

Incident Response Preparation:

Maintain documented playbooks for VPN compromise scenarios, including procedures for emergency VPN service suspension, forensic log collection, and alternative remote access activation.

Key Takeaways

• CVE-2026-0257 represents a critical authentication bypass in PAN-OS GlobalProtect with confirmed active exploitation
• Unauthenticated remote attackers can gain full VPN access to protected networks on vulnerable systems
• Over 45,000 potentially vulnerable instances are exposed to internet-based attacks
• Emergency patches are available and must be deployed immediately
• Organizations unable to patch should implement access restrictions and enhanced monitoring
• The vulnerability affects PAN-OS 11.0.x, 10.2.x, and 10.1.x prior to specific patched versions
• Comprehensive logging and monitoring are essential for detecting exploitation attempts
• VPN infrastructure should be treated as critical security infrastructure requiring rigorous hardening

References

• Palo Alto Networks Security Advisory: PAN-SA-2026-0001
• CVE-2026-0257 - NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-0257
• Palo Alto Networks: GlobalProtect Emergency Patch Guide
• CISA Alert AA25-XXX: Active Exploitation of PAN-OS GlobalProtect
• Palo Alto Networks: Threat Prevention Content Release 8947
• PAN-OS Upgrade/Downgrade Matrix Documentation
• GlobalProtect Best Practices Deployment Guide

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/