CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS affecting the GlobalProtect portal and gateway, has been actively exploited in the wild — with attacks beginning just four days after the flaw was publicly disclosed and continuing for weeks, according to security researchers.
How CVE-2026-0257 Lets Attackers Forge GlobalProtect VPN Sessions Without Credentials
The vulnerability allows attackers to forge session cookies and establish unauthorized VPN connections to enterprise networks without providing valid credentials. GlobalProtect is Palo Alto Networks’ remote access VPN product, widely deployed at large enterprises and government agencies as their primary gateway for remote network access. A successful exploit grants an attacker initial foothold inside the target network, from which lateral movement, credential harvesting, or data exfiltration can proceed.
Four Days from Disclosure to Active Exploitation: CVE-2026-0257’s Attack Timeline
The speed of weaponization is a defining characteristic of this incident. Security researchers report that exploitation began approximately four days after CVE-2026-0257 was publicly disclosed — a timeline that falls well within the 48-to-72-hour window that threat actors have demonstrated they can achieve for high-value enterprise network vulnerabilities. The fact that exploitation has been ongoing for weeks suggests that both opportunistic scanning operations and more targeted intrusion campaigns have incorporated this flaw into their toolkits.
Enterprise and Government Exposure: Why GlobalProtect Is a High-Value Target
GlobalProtect’s deployment profile — large enterprises and government agencies as primary remote access infrastructure — makes CVE-2026-0257 a particularly sought-after exploit. VPN authentication bypass flaws provide a clean path to network access that avoids endpoint detection controls, since the connection appears to originate from a legitimate VPN session. Palo Alto Networks has issued patches and is urging customers to apply them immediately.
Patch Guidance and Detection Considerations for PAN-OS Administrators
Palo Alto Networks has made patches available for the affected PAN-OS versions and is directing all customers to update immediately. Organizations running GlobalProtect should also review VPN session logs for authentication attempts or sessions that do not correspond to known user devices or locations, particularly for sessions established in the weeks following the initial public disclosure of CVE-2026-0257. Both opportunistic and targeted exploitation activity has been observed.
