ForumsExploitsCVE-2026-0257: PAN-OS VPN Tunneling without Auth? - Analysis & Mitigation

CVE-2026-0257: PAN-OS VPN Tunneling without Auth? - Analysis & Mitigation

MFA_Champion_Sasha 5/31/2026 USER

Just saw the update on The Hacker News regarding CVE-2026-0257. Palo Alto is reporting active exploitation of a medium-severity auth bypass in PAN-OS and Prisma Access. A CVSS 7.8 for a VPN bypass feels incredibly generous—giving an attacker a direct tunnel into the LAN without creds is pretty close to 'game over' for the perimeter.

The flaw allows unauthorized VPN connections. If you are running GlobalProtect, you need to audit your logs immediately.

We are correlating GlobalProtect tunnel-up events against successful auth events. If you're using Sentinel, this KQL might help spot the ghost tunnels:

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct contains "PAN-OS"
| where Activity == "Tunnel Up" or Activity == "GlobalProtect"
| project TimeGenerated, SourceIP, DestinationIP, RequestURL
| join kind=leftanti (
    CommonSecurityLog
    | where DeviceVendor == "Palo Alto Networks"
    | where Activity == "authentication" or Activity == "login"
    | where Message contains "success"
    | project SourceIP
) on SourceIP


We've applied the hotfixes to our 11.1 firewalls, but we're waiting on the vendor to sign off on 11.2. Is anyone seeing these bypass attempts in their wild logs yet? Specifically, are the source IPs known scanners or residential proxies?
PH
PhishFighter_Amy5/31/2026

Good catch on the severity rating. In our SOC, we treat any VPN bypass as Critical regardless of the CVSS score. One thing to note: the query above might generate false positives if you have SAML timeouts or MFA retries. We added a filter to exclude IPs that have a valid Kerberos ticket request within the last hour. Also, double-check your 'GlobalProtect Gateway Configuration'—ensure 'User Identification' isn't set to 'None' on any interfaces.

FI
Firewall_Admin_Joe5/31/2026

I'm managing a fleet of PA-3220s and this was a panic weekend. For those who can't reboot immediately, check your configuration against the 'Best Practices' analyzer in Panorama. I wrote a quick Python script to pull the software version via API to ensure compliance across all devices:

import requests
# Pseudo-code for version check
response = requests.get('https://firewall/api/?type=op&cmd=', auth=('admin', 'API_KEY'))
print(response.status_code)

Just a reminder: rotate your GlobalProtect PSKs immediately after patching.

K8
K8s_SecOps_Mei6/2/2026

Beyond just tunnel-up events, look for established GlobalProtect sessions where the 'user' field is empty—that's a major red flag for this bypass.

On the PAN-OS CLI, you can quickly check for active sessions missing user attribution using this operational command:

show session all | match "GlobalProtect" | no-match ""

While you wait for the patch, enabling Dynamic Decryption on outbound traffic from the VPN subnet can severely limit what a tunneled attacker can achieve laterally inside the LAN.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/31/2026
Last Active6/2/2026
Replies3
Views197