Cyber Resilience

CVE-2026-0257

HighCISA KEVActive ExploitationUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
09 June 2026
KEV Added
29 May 2026
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red
EPSS Score 0.8668 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-0257 is a high-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS software. The flaw, tracked under CWE-565, permits an attacker to circumvent security controls and establish an unauthorized VPN connection. Panorama and Cloud NGFW deployments are explicitly not impacted.

An unauthenticated remote attacker can exploit the issue over the network without user interaction or credentials, achieving limited access that bypasses intended VPN authentication restrictions. The CVSS 4.0 score of 7.8 reflects high severity driven by network attack vector, low complexity, and subsequent impacts on confidentiality, integrity, and availability within the broader environment.

Vendor guidance is available in the Palo Alto Networks security advisory, while Siemens has published a related product certificate and CISA has added the CVE to its Known Exploited Vulnerabilities catalog. These sources collectively indicate that organizations should apply available patches or configuration mitigations without delay.

The current EPSS score of 0.5879, matching its recorded peak, combined with CISA KEV listing, signals active real-world exploitation interest following disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

CWE(s)
KEV Date Added
29 May 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass directly enables unauthorized access to external remote services (VPN) and exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0300Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0111Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2024-3400Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0108Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-59718Same product: Siemens Ruggedcom Ape1808both on KEV
CVE-2026-24858Same product: Siemens Ruggedcom Ape1808both on KEV
CVE-2026-0227Same product: Paloaltonetworks Pan-Os
CVE-2016-5195Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0114Same product: Paloaltonetworks Pan-Os
CVE-2023-4966Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

paloaltonetworks
pan-os
10.2.10, 10.2.11, 10.2.12, 10.2.13, 10.2.14 · ≤ 10.2.7
paloaltonetworks
prisma access
all versions
siemens
ruggedcom ape1808 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements before granting VPN session establishment, blocking the bypass that allows unauthorized GlobalProtect access.

prevent

Mandates secure authentication and authorization mechanisms for all remote access connections through the GlobalProtect portal/gateway.

prevent

Requires identification and authentication of non-organizational users before permitting VPN tunnel establishment, directly countering the unauthenticated bypass.

References