Active exploitation of Palo Alto GlobalProtect auth bypass signals VPN perimeter as primary attack vector
CVE-2026-0257, a medium-severity authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect, is now under active exploitation in the wild. Attackers are using it to establish unauthorised VPN connections and breach corporate networks.
CVE References
Affected
Palo Alto Networks has confirmed that CVE-2026-0257, assigned a CVSS score of 7.8, is being actively exploited by threat actors to bypass authentication controls in GlobalProtect VPN services. The flaw allows unauthenticated attackers to establish VPN sessions without valid credentials, effectively circumventing the primary trust boundary many organisations depend on to gate access to internal networks from untrusted locations.
The technical nature of authentication bypass vulnerabilities in VPN concentrators represents a high-impact attack primitive: once an attacker gains a VPN tunnel, they operate from a position of network adjacency, often bypassing perimeter controls designed to defend against external reconnaissance and lateral movement. This shifts the attack surface from "how do I reach the edge" to "how do I move internally once trusted access is granted".
Organisations running PAN-OS and Prisma Access should assume active reconnaissance is occurring. The combination of medium severity rating with active exploitation indicates attackers have weaponised exploitation faster than typical patch cycles allow. Defenders cannot rely on time-to-patch; immediate action is required to identify instances of GlobalProtect in use, assess network segmentation behind those gateways, and implement detection rules for abnormal VPN authentication patterns.
This incident reflects a broader pattern: VPN and remote access infrastructure continues to be targeted as a strategic entry point, particularly by intrusion campaigns seeking persistent network presence. The shift from vulnerability disclosure to active exploitation within a short window suggests either zero-day activity predating public disclosure or rapid adoption of proof-of-concept code by multiple threat actors.
Defenders should prioritise: applying Palo Alto patches immediately, conducting VPN access logs review for suspicious authentication events, implementing multi-factor authentication enforcement at the VPN layer where not already deployed, and assessing whether network segmentation limits lateral movement for attackers who do breach the VPN perimeter. The vulnerability's exploitability in real-world attack chains demonstrates that authentication mechanisms cannot be the sole security control protecting sensitive network infrastructure.
Sources