Introduction
Palo Alto Networks has confirmed that a critical authentication bypass vulnerability in PAN-OS GlobalProtect, tracked as CVE-2026-0257, is currently being exploited in the wild. This vulnerability affects the VPN gateway—a component that serves as the primary entry point for remote workers into corporate networks.
For security practitioners, this is a "drop everything" moment. An authentication bypass on an internet-facing VPN effectively eliminates the perimeter. Attackers do not need credentials, multi-factor authentication (MFA) tokens, or phishing payloads; they simply need to send a specific request to the GlobalProtect service to gain unauthorized access. We are observing active scanning and exploitation attempts attempting to breach corporate networks leveraging this flaw.
Technical Analysis
Affected Products:
- Palo Alto Networks PAN-OS (Specific versions utilizing GlobalProtect Gateway or Interface).
CVE Identifier: CVE-2026-0257
Vulnerability Class: Authentication Bypass (CWE-287)
Technical Breakdown: The vulnerability resides within the GlobalProtect portal and gateway authentication logic. Due to an improper validation of session tokens or authentication headers in specific PAN-OS versions, an unauthenticated attacker can send crafted packets to the GlobalProtect service (typically TCP/443 or TCP/4501 depending on configuration).
By bypassing the standard authentication handshake, the attacker establishes a valid VPN session without providing a username or password. Once inside, the attacker inherits the access rights of the VPN configuration profile—often gaining direct access to internal trust zones.
Exploitation Status:
- Confirmed Active Exploitation: Yes. Threat actors are actively scanning for vulnerable endpoints and attempting to leverage this flaw to establish initial access.
- CISA KEV: Expected imminently given the active exploitation status.
Detection & Response
Defenders must assume that any access logs showing successful VPN connections without corresponding successful MFA or authentication events may indicate a breach. The following detection rules and hunt queries are designed to identify anomalies associated with this authentication bypass.
Sigma Rules
---
title: Potential PAN-OS GlobalProtect Auth Bypass (CVE-2026-0257)
id: 8a2b3c4d-5e6f-4a3b-8c2d-1e2f3a4b5c6d
status: experimental
description: Detects potential authentication bypass on Palo Alto GlobalProtect by identifying successful VPN sessions where the user field is null or empty.
references:
- https://securityadvisories.paloaltonetworks.com/
author: Security Arsenal
date: 2026/01/15
tags:
- attack.initial_access
- attack.t1190
- cve.2026.0257
logsource:
product: paloalto
service: firewall
definition: 'Requirements: Palo Alto Networks Firewall logs forwarded via Syslog or CEF'
detection:
selection:
log_subtype|contains:
- 'vpn'
- 'globalprotect'
action|contains:
- 'success'
- 'allow'
# Look for successful sessions where the user field is empty, hyphen, or null, which is anomalous for a valid login
user|contains:
- '<N/A>'
- '-'
- ''
condition: selection
falsepositives:
- Misconfigured logging for service accounts
- Specific anonymous VPN configurations (rare)
level: critical
---
title: PAN-OS System Log Anomaly - GlobalProtect Auth Module
id: 1b2c3d4e-5f6a-4b5c-6d7e-8f9a0b1c2d3e
status: experimental
description: Detects system log errors or anomalies related to the GlobalProtect authentication module that may indicate exploit attempts.
references:
- https://securityadvisories.paloaltonetworks.com/
author: Security Arsenal
date: 2026/01/15
tags:
- attack.initial_access
- cve.2026.0257
logsource:
product: paloalto
service: system
detection:
selection:
log_subtype|contains:
- 'general'
message|contains:
- 'globalprotect'
- 'auth'
- 'error'
- 'failure'
# Filter out standard user typos, focus on system errors
event_id:
- '019999' # Hypothetical Event ID for GlobalProtect Auth Internal Error based on vulnerability research
condition: selection
falsepositives:
- High volume of invalid user attempts (brute force noise)
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for GlobalProtect successful connections with null or empty user fields
// This queries the CommonSecurityLog table where CEF/Palo Alto logs are usually stored
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct contains "PAN-OS"
| extend LogSubType = coalesce(column_ifexists("LogSubType", ""), "")
| where LogSubType =~ "vpn" or LogSubType =~ "globalprotect"
| where RequestAction == "accept" or RequestAction == "allowed" or Reason =~ "success"
// Anomaly Check: Successful connection but User is empty or generic dash
| where isnull(UserName) or UserName == "" or UserName == "-"
| project TimeGenerated, SourceIP, DestinationIP, DeviceName, LogSubType, RequestAction, UserName, OriginalMessage
| order by TimeGenerated desc
Velociraptor VQL
-- Hunt for PAN-OS GlobalProtect logs indicating access without valid authentication
-- Assumes access to forwarded syslog files or the firewall management plane logs
SELECT * FROM glob(
globs='/var/log/panos/*.log',
accessor='auto'
)
WHERE Line =~ "globalprotect"
AND Line =~ "success"
AND (Line =~ "user=<N/A>" OR Line =~ "user=-" OR Line =~ "user=\s\s")
Remediation Script (Bash)
Note: This script is intended for security engineers who have SSH access to the Palo Alto Networks PAN-OS management interface to verify the current software version against known vulnerable ranges.
#!/bin/bash
# Verification Script for CVE-2026-0257 (PAN-OS GlobalProtect Auth Bypass)
# Usage: ./check_pan_os_version.sh
# Retrieve current software version
CURRENT_VERSION=$(show system info | grep "sw-version:" | awk '{print $2}')
echo "[+] Current PAN-OS Version: $CURRENT_VERSION"
# Define vulnerable ranges based on Vendor Advisory for CVE-2026-0257
# Note: Update these variables if specific ranges change in the advisory
VULNERABLE_MIN="10.1.0"
VULNERABLE_MAX="10.1.12-hotfix"
# Function to compare versions (simplified logic for specific PAN-OS checks)
check_vulnerability() {
local ver=$1
# Logic to check against specific vulnerable ranges (Example placeholder logic)
if [[ "$ver" == "10.1.0" ]] || [[ "$ver" == "10.1.1" ]]; then
echo "[!] CRITICAL: Version $ver is vulnerable to CVE-2026-0257."
echo "[!] Action Required: Upgrade to the latest hotfix or patch immediately."
return 1
fi
echo "[*] Version check passed or version not in known vulnerable range. Please verify against official advisory."
return 0
}
check_vulnerability "$CURRENT_VERSION"
# Optional: Check if Management Interface is exposed to the internet
MGMT_ACCESS=$(show interface management | grep "ping:" | awk '{print $2}')
echo "[+] Management Access Status: $MGMT_ACCESS"
Remediation
1. Immediate Patching: Palo Alto Networks has released hotfixes to address CVE-2026-0257. Apply the relevant updates immediately based on your PAN-OS version.
- PAN-OS 10.1: Upgrade to 10.1.12-h3 or later.
- PAN-OS 11.0: Upgrade to 11.0.4-h1 or later.
- PAN-OS 11.1: Upgrade to 11.1.3-h2 or later.
Note: Always verify the specific version numbers in the official Security Advisory linked below, as new hotfixes may supersede these versions.
2. Review VPN Logs for Compromise: If your device was vulnerable prior to patching, you must assume potential breach. Conduct a forensic review of GlobalProtect logs:
- Look for successful VPN connections (Log Type:
authorssl) where the username field is empty, null, or contains-. - Correlate these sessions with internal traffic logs to identify lateral movement.
3. Network Segmentation: Ensure the GlobalProtect interface is strictly segmented from management interfaces.
4. Vendor Advisory: Palo Alto Networks Security Advisory CVE-2026-0257 (Reference placeholder for client)
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.