CVE-2026-0257
Confirmed PUBLISHEDPAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
3 days faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.
- CVE Published
- May 13, 2026
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 7.8 High
- EPSS
- 86.7%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Siemens |
RUGGEDCOM APE1808
|
0 to < * |
Affected |
| Palo Alto Networks |
Cloud NGFW
|
All |
Unaffected |
| Palo Alto Networks |
PAN-OS
|
12.1.0 to < 12.1.7, 12.1.4-h6 Changed to unaffected at 12.1.7 Changed to unaffected at 12.1.4-h6 |
Affected |
| Palo Alto Networks |
PAN-OS
|
11.2.0 to < 11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17 Changed to unaffected at 11.2.12 Changed to unaffected at 11.2.10-h7 Changed to unaffected at 11.2.7-h14 Changed to unaffected at 11.2.4-h17 |
Affected |
| Palo Alto Networks |
PAN-OS
|
11.1.0 to < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33 Changed to unaffected at 11.1.15 Changed to unaffected at 11.1.13-h5 Changed to unaffected at 11.1.10-h25 Changed to unaffected at 11.1.7-h6 Changed to unaffected at 11.1.6-h32 Changed to unaffected at 11.1.4-h33 |
Affected |
| Palo Alto Networks |
PAN-OS
|
10.2.0 to < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34 Changed to unaffected at 10.2.18-h6 Changed to unaffected at 10.2.16-h7 Changed to unaffected at 10.2.13-h21 Changed to unaffected at 10.2.10-h36 Changed to unaffected at 10.2.7-h34 |
Affected |
| Palo Alto Networks |
Prisma Access
|
10.2.0 to < 10.2.10-h36 Changed to unaffected at 10.2.10-h36 |
Affected |
| Palo Alto Networks |
Prisma Access
|
11.2.0 to < 11.2.7-h13 Changed to unaffected at 11.2.7-h13 |
Affected |
CVE References
- Vendor Advisory — security.paloaltonetworks.com security.paloaltonetworks.com · Vendor Advisory https://security.paloaltonetworks.com/CVE-2026-0257
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| The Shadowserver First | 2026-05-30 07:34 UTC |
| BleepingComputer | 2026-05-30 18:02 UTC |
| CVE | 2026-06-01 10:28 UTC |
| CISA | 2026-06-02 14:00 UTC |
| TheHackerNews | 2026-06-02 14:21 UTC |
| All CISA Advisories | 2026-06-02 14:21 UTC |
| Palo Alto Unit42 | 2026-06-05 14:20 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Indicators of Compromise (IoCs)
Operational indicators linked to exploitation of this CVE. IoCs age over time — especially IP addresses.
| Type | Indicator | First Seen | Last Seen | Age | Source |
|---|---|---|---|---|---|
| IP |
23.128.228.6
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
104.207.144.154
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
146.19.216.119
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
146.19.216.120
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
146.19.216.125
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
179.43.172.213
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
185.195.232.139
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
198.12.106.60
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
| IP |
202.144.192.47
|
2026-06-05 17:24 UTC | 2026-06-05 17:24 UTC | about 1 month ago | Source |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2026/CVE-2026-0257.yaml | Jun 03, 2026 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/AU:N/R:A/V:D/RE:M/U:Red
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 10:28:27 UTC · CVE
Proof of concept available
Recorded 2026-06-10 07:34:30 UTC · GitHub
Weaknesses (CWE)
-
Reliance on Cookies without Validation and Integrity Checking
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2026/CVE-2026-0257.yaml | Jun 03, 2026 |
| Nessus | https://www.tenable.com/plugins/nessus/314450 | May 14, 2026 |
Recent Mentions
TheHackerNews · Jun 15, 2026
Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad
Palo Alto Unit42 · Jun 05, 2026
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.
BleepingComputer · May 30, 2026
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
TheHackerNews · May 30, 2026
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Palo Alto Networks Security Advisories · May 29, 2026
All CISA Advisories · May 29, 2026
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability This type of vulnerability is a frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-07-08 00:18:11 UTC · 0 stars
CVE-2026-0257 - Palo Alto PAN-OS GlobalProtect Auth Override Cookie Forgery - PoC & Analysis | CVSS 9.1 CRITICAL CISA KEV | AMN SECURITY
github · Created 2026-06-10 07:34:30 UTC · 1 stars
GrayXploit Security research and defensive team validate this toolkit for CVE-2026-0257 (PAN-OS GlobalProtect Authentication Bypass). Includes vulnerability assessment, detection guidance, technical analysis, indicators of compromise (IOCs), and remediation validation resources for security teams and defenders.
github · Created 2026-06-09 11:16:53 UTC · 0 stars
github · Created 2026-06-03 07:54:36 UTC · 2 stars
Palo Alto Networks PAN-OS contains an authentication bypass caused by flaws in the GlobalProtect portal and gateway, letting attackers establish unauthorized VPN connections, exploit requires network access to the portal or gateway.
github · Created 2026-06-01 12:02:27 UTC · 0 stars
PAN-OS: GlobalProtect Authentication Bypass
github · Created 2026-05-29 20:27:44 UTC · 2 stars
github · Created 2026-05-29 11:46:55 UTC · 20 stars
Proof-of-concept script to leverage the PAN-OS GlobalProtect authentication bypass CVE-2026-0257
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
07:34 UTC about 1 month ago07:34 UTC · about 1 month ago
Public PoC available
Public proof-of-concept code published
-
17:24 UTC about 1 month ago17:24 UTC · about 1 month ago
Indicators of compromise added (9)
Indicators of compromise recorded
-
14:20 UTC about 1 month ago14:20 UTC · about 1 month ago
KEV confirmed by Palo Alto Unit42
Exploitation attested by an external source
-
04:30 UTC about 2 months ago04:30 UTC · about 2 months ago
Nuclei template available
Scanner coverage available
-
14:21 UTC about 2 months ago14:21 UTC · about 2 months ago
KEV confirmed by All CISA Advisories
Exploitation attested by an external source
-
14:21 UTC about 2 months ago14:21 UTC · about 2 months ago
KEV confirmed by TheHackerNews
Exploitation attested by an external source
-
14:00 UTC about 2 months ago14:00 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
10:28 UTC about 2 months ago10:28 UTC · about 2 months ago
KEV confirmed by CVE
Exploitation attested by an external source
-
18:02 UTC about 2 months ago18:02 UTC · about 2 months ago
KEV confirmed by BleepingComputer
Exploitation attested by an external source
-
07:34 UTC about 2 months ago07:34 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
03:47 UTC 2 months ago03:47 UTC · 2 months ago
Nessus plugin available
Scanner coverage available
-
18:15 UTC 2 months ago18:15 UTC · 2 months ago
CVE published
Vulnerability disclosed publicly
-
20:44 UTC 9 months ago20:44 UTC · 9 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-0257
{
"cve_id": "CVE-2026-0257",
"title": "PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities",
"affected_vendor": "Palo Alto Networks",
"affected_product": "Cloud NGFW, PAN-OS, Prisma Access",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 7.8,
"epss_score": 0.86678,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}