Full Report
Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:** Specific versions of PAN-OS (typically impacting 10.2, 11.0, 11.1, and 11.2 series; refer to official advisory for granular versioning).
- **Configurations:** Systems with GlobalProtect Gateway or GlobalProtect Portal enabled.
## Vulnerability Description
CVE-2026-0257 is an authentication bypass vulnerability within the GlobalProtect portal and gateway components. The flaw allows a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to the GlobalProtect interface. This typically occurs due to improper validation of authentication tokens or session handling within the PAN-OS management plane or data plane interfaces associated with VPN services.
## Exploitation
- **Status:** **Exploited in the wild.** Palo Alto Networks has confirmed active exploitation by unknown threat actors.
- **Complexity:** Low.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Unauthorized access to internal portal resources).
- **Integrity:** Low/Medium (Depending on the level of access gained post-bypass).
- **Availability:** Low.
## Remediation
### Patches
Palo Alto Networks has released security updates to address this flaw. Administrators should upgrade to the following (or later) versions:
- PAN-OS 10.2.x
- PAN-OS 11.0.x
- PAN-OS 11.1.x
- PAN-OS 11.2.x
*(Note: Consult the specific vendor security advisory for the exact maintenance release numbers).*
### Workarounds
- If patching is not immediately possible, restrict access to the GlobalProtect Portal/Gateway to known-good IP addresses via security policies.
- Disable the GlobalProtect Portal/Gateway if not actively required for business operations (though this impacts remote work capabilities).
## Detection
- **Indicators of Compromise:** Monitor for unusual login patterns or successful authentications from unexpected geographic locations or unrecognized IP addresses.
- **Detection methods and tools:**
- Review `authd.log` and `system.log` for anomalies in authentication sequences.
- Utilize Palo Alto Networks Threat Prevention signatures (if updated subscriptions are active) to detect exploit attempts.
- Check for unauthorized configuration changes or new local user creations.
## References
- Palo Alto Networks Security Advisory: hxxps[://]security[.]paloaltonetworks[.]com/
- NIST NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-0257