The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert: threat actors are actively exploiting a critical authentication bypass in Palo Alto Networks PAN-OS, tracked as CVE-2026-0257.
The flaw lets attackers circumvent normal login checks and establish unauthorized VPN connections, creating direct paths into enterprise networks.
Palo Alto Networks PAN-OS Vulnerability
Improper authentication logic in PAN-OS consistent with CWE-565 (relying on cookies without proper validation and authorization). This allows remote actors to skip login requirements and impersonate legitimate users.
Attackers can create persistent VPN sessions that may bypass some multi-factor authentication setups, enabling initial access, lateral movement, and potential data exfiltration.
CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, confirming real-world active exploitation.
There is no public attribution to a specific ransomware group yet, but the nature of this bug targeting VPN infrastructure makes it a high-value vector for attackers seeking footholds in corporate environments.
PAN-OS devices are frequently deployed at the network edge (firewalls and security gateways) and are commonly reachable from the internet, increasing exposure to automated scans and targeted probing.
Mitigation and Detection
- Patch: Apply Palo Alto Networks’ vendor patches or updates addressing CVE-2026-0257 as the highest priority.
- If you cannot patch immediately: disable or restrict affected VPN services; restrict management and VPN access to trusted IP ranges or VPN concentrators; enforce network-level access controls.
- Harden authentication: review and, where possible, strengthen multi-factor configurations and session-handling settings to reduce bypass risk.
- Network segmentation: isolate VPN termination points and limit access to sensitive resources from those segments.
- Monitoring and logging: enable detailed VPN and authentication logging; retain logs for forensic review.
- Unusual VPN login patterns: sudden increases in concurrent sessions, repeated logins for a single account, or logins outside normal hours.
- Connections from unfamiliar or new external IP addresses.
- Anomalous session behavior: long-lived sessions that do not match known usage patterns, unexpected internal resource access following VPN connection.
Detection steps: review authentication and VPN logs, correlate with proxy/IDS telemetry, and look for lateral movement after VPN session creation. - U.S. federal agencies were required under Binding Operational Directive (BOD) 22-01 to remediate the vulnerability by June 1, 2026. Organizations should follow similar timelines and document remediation activities.
No Comment! Be the first one.