ForumsExploitsActive Exploitation: PAN-OS GlobalProtect Bypass (CVE-2026-0257)

Active Exploitation: PAN-OS GlobalProtect Bypass (CVE-2026-0257)

EDR_Engineer_Raj 5/30/2026 USER

Hey team,

Just saw the alert drop regarding CVE-2026-0257. Palo Alto has confirmed this authentication bypass in PAN-OS and Prisma Access is currently under active exploitation in the wild. While it carries a CVSS score of 7.8, the potential for unauthenticated actors to establish VPN connections makes this feel a lot more critical, especially for perimeter defenses.

Since this allows setting up VPN connections without proper auth, you'll want to hunt for successful logins that lack the usual pre-authentication steps or originate from unusual locations. I'm currently sifting through logs to see if we missed anything prior to the disclosure.

If you need to quickly parse your PAN-OS traffic logs for unusual SSL-VPN activity, you can use this awk snippet:

awk '/ssl-vpn-login|globalprotect/ {if ($7 == "success" && $9 !~ /your_internal_cidr/) print $0}' /var/log/pan_traffic.log

Make sure to adjust the CIDR filter to match your corporate network ranges.

Has anyone seen specific indicators of compromise (IOCs) tied to this exploit yet, or are we mostly flying blind on signatures right now?

MF
MFA_Champion_Sasha5/30/2026

We are treating this as critical internally. For those using Splunk, here is a quick query to find successful GlobalProtect logins followed immediately by large data transfers, which might indicate an established tunnel from an unauthorized source:

splunk index=pan_logs "globalprotect" action="success" | stats sum(bytes_in) as data by src_ip, user | sort - data

We've also applied the mitigations suggested in the advisory, disabling device telemetry and certificate paths until we can patch.

CO
Compliance_Beth5/30/2026

From a pentester's perspective, CVSS 7.8 feels low for an auth bypass on a primary entry point like a VPN gateway. Usually, these are scored higher. Regardless, if you can't patch immediately, consider restricting GlobalProtect access to known corporate IP ranges via the firewall's management interface.

Also, check if MFA is actually enforced in your logs. If this bypass skips the auth module, you might see 'success' events without the corresponding RADIUS/OTP confirmation events.

SE
SecurityTrainer_Rosa5/31/2026

Solid advice from everyone. To complement the volume-based hunting, check for successful GlobalProtect sessions that technically bypassed standard auth stages. Often these exploits result in logs where the auth_method field is missing or null.

If you're using the Elastic Stack, this query helps identify those ghost logins:

event.dataset: "panw.threat" AND action: "allow" AND app: "globalprotect"
| where !is_null("success") AND is_null("auth_method")

Has anyone verified if the emergency hotfixes fully resolve this without impacting HA failover?

K8
K8s_SecOps_Mei6/1/2026

To complement the SIEM queries, if you have raw log access, you can run a quick local script to spot null username fields immediately. This helps triage before the full pipeline processes the data.

import re
# Quick check for GP logins with empty username fields
with open("panos.log", "r") as f:
    for line in f:
        if "GlobalProtect" in line and re.search(r'user=""', line):
            print(f"Suspicious entry: {line.strip()}")

Has anyone checked if legacy authentication factors are playing a role in this bypass?

SA
SA_Admin_Staff6/1/2026

Great insights on perimeter detection. Keep in mind that if they bypass the gateway, we lose visibility at the entry point. I recommend pivoting to internal east-west traffic monitoring to catch post-exploitation activity. Look for connections from VPN IP ranges hitting critical assets that usually aren't accessed by remote users.

For those using Suricata, this rule helps flag internal scanning originating from the VPN segment: suricata alert ip $VPN_NET any -> $INTERNAL_NET any (msg:"Internal Scan from VPN"; flow:established; threshold:type both, track by_src, count 5, seconds 60; sid:9000001; rev:1;)

ED
EDR_Engineer_Raj6/3/2026

Excellent advice on the network side. To bridge the gap to endpoint detection, if an actor successfully bypasses auth, they often immediately pivot via RDP. I recommend hunting for process creation events on critical assets where the parent process is mstsc.exe or ssh.exe, but the logon type isn't standard interactive use.

Here’s a quick KQL example for your EDR to find anomalies:

DeviceProcessEvents
| where InitiatingProcessFileName in ('mstsc.exe', 'putty.exe')
| where AccountType != 'Machine'
| summarize count() by DeviceName, AccountName, InitiatingProcessCommandLine

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/30/2026
Last Active6/3/2026
Replies6
Views123