CVE-2026-0257: Palo Alto GlobalProtect Auth Bypass Now on CISA's Hit List

CISA doesn't add things to the KEV catalog for fun.

When CISA adds a vulnerability to the Known Exploited Vulnerabilities catalog, it means one thing: attackers are actively using this in the wild right now. It's not theoretical. It's not "could be exploited." It is being exploited. Today. Against real organizations.

CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect. GlobalProtect is the VPN client that thousands of businesses use to give their employees secure remote access.

CISA added it to the KEV catalog on May 29, 2026. Federal agencies have a hard deadline to patch. Everyone else should treat that deadline as their own because the same attackers hitting federal networks are scanning your network too.

What GlobalProtect is and why this matters.

GlobalProtect is how your remote workers connect to the office network securely. They open the VPN client, authenticate, and get a secure tunnel back to corporate resources. File shares, internal apps, email, everything.

An authentication bypass in GlobalProtect means an attacker can connect to your VPN without valid credentials. They get the same access your remote workers get. Internal network. File shares. Applications. Everything behind the firewall that was supposed to be protected.

And because VPN connections are designed to look like legitimate traffic, this kind of access is hard to detect. The attacker looks like just another remote worker connecting from home. Except they're not your employee and they're not connecting from home.

This is the second Palo Alto CVE this month.

CVE-2026-0300 (the captive portal RCE I wrote about earlier) and now CVE-2026-0257. Two critical Palo Alto vulnerabilities in the same month. Both actively exploited. Both requiring immediate patching.

If you're running PAN-OS and you haven't patched in the last 30 days, you're likely vulnerable to both. And attackers are chaining vulnerabilities together. The auth bypass gets them in the door. The RCE gives them root. Game over.

This isn't unique to Palo Alto. Every major firewall vendor has had critical vulnerabilities this year:

• SonicWall CVE-2026-0204: Authentication bypass in SonicOS
• Fortinet: Multiple actively exploited CVEs throughout 2026
• Cisco: CVE-2026-20182 in Catalyst SD-WAN (CISA KEV)

The pattern is consistent: edge devices (firewalls, VPN concentrators, SD-WAN controllers) are the most attacked infrastructure category in 2026. They're internet-facing, they're complex, and when they fall, the attacker gets everything behind them.

What you need to do.

1. Check your PAN-OS version. If you run any Palo Alto equipment, log into Panorama or the firewall management console and verify you're on a patched version. The advisory is on security.paloaltonetworks.com.

2. If you can't patch immediately, restrict GlobalProtect access. Limit which source IPs can reach the GlobalProtect portal. If your remote workers connect from known locations, allowlist those IPs and block everything else. Not a fix, but it shrinks the attack surface while you schedule the update.

3. Review your VPN access logs. Look for connections from unexpected locations, at unusual times, or from IP addresses that don't match your employee base. A VPN connection from a residential IP in Romania at 3am when all your employees are in Chicago is something you want to investigate.

4. Implement MFA on your VPN. If you haven't already, this is not optional anymore. Even with the auth bypass patched, stolen VPN credentials are one of the most common initial access vectors for ransomware. MFA on VPN should have been done years ago.

5. Consider moving to a zero-trust network access (ZTNA) model. Traditional VPNs give authenticated users broad network access. ZTNA gives each user access to only the specific applications they need, verified on every request. The blast radius of a compromised session is dramatically smaller.

The VPN model is showing its age.

VPNs were designed in an era when the security model was simple: the network has an inside and an outside, and the VPN is the bridge. If you're authenticated, you're trusted. You get full access to the inside.

That model doesn't hold up when:

• The authentication mechanism itself gets bypassed (CVE-2026-0257)
• Credentials get stolen through phishing (89% of incidents)
• Remote workers connect from personal devices with questionable security
• Contractors and vendors need access but shouldn't see everything

Zero trust doesn't mean "trust nobody." It means "verify every request." Every user, every device, every application, every time. It's a shift, and it doesn't happen overnight, but it's where security is heading for a reason.

If you're reevaluating your remote access strategy in light of these VPN vulnerabilities, that's a smart instinct. We help businesses design and implement remote access architectures that don't fall apart when the next CVE drops.

(773) 417-9994 or southsidechisolutions.com