Palo Alto Networks has disclosed that CVE-2026-0257, an authentication bypass flaw in PAN-OS and Prisma Access, is under active exploitation in the wild. With a CVSS score of 7.8, the vulnerability allows threat actors to establish unauthorised VPN connections, circumventing the authentication mechanisms that should protect remote access gateways.
Why This Matters for Infrastructure Teams
VPN gateways are often the first line of defence for remote workers and infrastructure access. An authentication bypass at this layer is particularly dangerous because it grants attackers direct entry into protected networks without needing valid credentials. Unlike a vulnerability that requires user interaction or specific conditions, this flaw can be exploited directly against the gateway itself.
The fact that exploitation is already occurring in the field means threat actors have weaponised the vulnerability. This typically happens within days or weeks of disclosure for moderate-to-high severity flaws affecting widely deployed infrastructure products. Any organisation running PAN-OS or Prisma Access should assume their instances are being actively probed.
Scope and Affected Versions
Palo Alto's advisory identifies PAN-OS GlobalProtect as the primary attack surface. GlobalProtect is a client-based VPN that allows organisations to secure remote access for employees, contractors, and distributed teams. Prisma Access, Palo Alto's cloud-delivered security platform, uses similar underlying authentication mechanisms and is also vulnerable.
The vulnerability likely affects multiple PAN-OS releases. Organisations should check Palo Alto's security advisory for the specific versions that require patching, as version numbers and availability of fixes vary by deployment type (standalone, HA cluster, or cloud).
Immediate Actions for Operators
First, apply any available security patches immediately. Palo Alto typically releases fixes for active exploits within 24–48 hours of confirmation. Check your current PAN-OS version and cross-reference against the advisory to determine if you are exposed.
If patches are not yet available for your version, consider temporary mitigations. These typically include restricting VPN access to known IP ranges, enabling additional authentication factors (multi-factor authentication), and monitoring GlobalProtect gateway logs for suspicious connection attempts. Review authentication logs for any sign of unauthorised access or anomalous connection patterns.
Network segmentation is equally important. Ensure that even if a VPN connection is established without proper authentication, the attacker lands in a controlled zone with limited access to critical systems. Use firewall rules to restrict lateral movement from VPN entry points to sensitive infrastructure.
Long-Term Hardening Strategies
Authentication bypass vulnerabilities in VPN appliances highlight the need for defence-in-depth. Never rely on a single gateway for complete security. Layer in additional controls such as endpoint detection and response (EDR), network-based anomaly detection, and host-based firewalls on critical systems.
Consider moving from hardware appliances to cloud-delivered VPN services where patch management is handled by the provider. If you operate your own infrastructure, establish a rapid patching cycle for security updates—ideally within 48–72 hours of release for critical and high-severity flaws.
Authentication bypass vulnerabilities in remote access gateways have been exploited by major threat groups in the past to establish persistent footholds. The difference between a patch applied within hours and one applied within weeks can determine whether an incident is contained or becomes a major breach. Treating VPN gateway security with the same urgency as endpoint protection is no longer optional.
