Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: pan-os (2 articles)Clear

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.

Palo Alto Networks firewalls have a critical hole that lets attackers run code as root - hackers are already using it, no patch until May 13 (CVE-2026-0300)

Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.

Check
Inventory Palo Alto PA-Series and VM-Series firewalls. Check whether the User-ID Authentication Portal is enabled and reachable from untrusted IPs. Hunt nginx crash logs for evidence of clearing since April 9.
Affected
PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal exposed to public internet or untrusted IPs. CVE-2026-0300, CVSS 9.3 (8.7 if portal restricted to internal IPs). Prisma Access, Cloud NGFW, and Panorama are NOT affected. Shadowserver tracks 5,800+ exposed VM-Series instances; thousands more likely sit behind load balancers.
Fix
Restrict the User-ID Authentication Portal to trusted internal networks - this is the primary mitigation until patches arrive. Disable the portal entirely if not strictly required. Block ports 6081 and 6082 from untrusted IPs. Stage May 13 patches: 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.10-h36. Treat any compromised firewall as a domain-wide breach starting point - rotate firewall service account credentials.