Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: palo-alto (3 articles)Clear

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.

Palo Alto Networks firewalls have a critical hole that lets attackers run code as root - hackers are already using it, no patch until May 13 (CVE-2026-0300)

Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.

Check
Inventory Palo Alto PA-Series and VM-Series firewalls. Check whether the User-ID Authentication Portal is enabled and reachable from untrusted IPs. Hunt nginx crash logs for evidence of clearing since April 9.
Affected
PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal exposed to public internet or untrusted IPs. CVE-2026-0300, CVSS 9.3 (8.7 if portal restricted to internal IPs). Prisma Access, Cloud NGFW, and Panorama are NOT affected. Shadowserver tracks 5,800+ exposed VM-Series instances; thousands more likely sit behind load balancers.
Fix
Restrict the User-ID Authentication Portal to trusted internal networks - this is the primary mitigation until patches arrive. Disable the portal entirely if not strictly required. Block ports 6081 and 6082 from untrusted IPs. Stage May 13 patches: 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.10-h36. Treat any compromised firewall as a domain-wide breach starting point - rotate firewall service account credentials.

Anthropic launches 'Claude Security' for enterprises - the first major defensive product designed to keep up with AI-powered exploits that compress the time-to-attack to minutes

Anthropic launched Claude Security in public beta yesterday, an enterprise tool that scans code repositories for vulnerabilities, rates each finding's severity and confidence, and generates patch instructions that engineers can apply through Claude Code. The launch is direct response to Mythos and similar AI-driven offensive tools that have been compressing the time between vulnerability disclosure and active exploitation - LiteLLM was exploited 36 hours after disclosure last week, LMDeploy in 13 hours the week before. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, Trend, and Wiz are integrating Claude Opus 4.7 into their platforms.

Check
If your organization holds a Claude Enterprise subscription, evaluate Claude Security against your existing static analysis tools this week.
Affected
Claude Enterprise customers can access Claude Security in public beta now via claude.ai/security or the Claude.ai sidebar. No API integration required. Team and Max access is coming soon. The deeper relevance is for any security team facing the new exploitation cadence: AI-driven offense has shrunk the patch window for several recent disclosures.
Fix
Pilot Claude Security on a non-critical repository first - point it at a side project before pointing it at production code. Scheduled scans give ongoing coverage rather than one-off audits. Pair the output with Claude Code on the Web to work through patches in a single session. For organizations not on Claude Enterprise: evaluate Aisle, Wiz Code, or GitHub Copilot Autofix on confidence rating and false positive rate.