Palo Alto Networks has issued an urgent warning regarding active exploitation of a recently disclosed PAN-OS vulnerability, CVE-2026-0257 (CVSS score: 7.8), which affects the portal and gateway components of the GlobalProtect VPN. The authentication bypass flaw allows threat actors to bypass security controls and establish unauthorized VPN connections. Initial exploitation activity was observed on May 17, 2026, with limited attacks detected in the wild. The company has released indicators of compromise (IoCs), including IP addresses, host names, and MAC addresses associated with the activity. No post-access behavior or lateral movement has been identified. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026. Palo Alto Networks urges customers to search GlobalProtect logs for successful gateway-connected events matching hard-coded client configuration values from a proof-of-concept exploit.
CVEs: CVE-2026-0257, CVE-2026-11645
Companies: Palo Alto Networks, CISA
Products: PAN-OS, GlobalProtect
Original source: thehackernews.com