Rapid7 observes new Palo Alto VPN flaw exploited in the wild to bypass GlobalProtect authentication

News
By published

A flaw fixed last month is now being used in real-life attacks

Paper width word VPN and hands on laptop keyboard
(Image credit: Getty Images)
  • Critical PAN‑OS flaw exploited in the wild
  • Authentication bypass enables unauthorized VPN access
  • CISA added CVE‑2026‑0257 to KEV catalog

A recently discovered vulnerability in PAN-OS, the operating system powering Palo Alto’s firewalls, is being actively exploited in the wild, researchers are saying, urging customers to apply the provided patch as soon as possible.

In mid-May this year, Palo Alto disclosed an authentication bypass flaw in the Global Protect portal and gateway that allows threat actors to work around security restrictions and establish an unauthorized VPN connection. The bug is now tracked as CVE-2026-0257, and assigned a severity score of 9.1/10 (critical).

Earlier this week, security researchers Rapid7 said they saw threat actors successfully leveraging this bug in attacks: “Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices,” Rapid7 said in its report. “The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV.”

Latest Videos From

Added to CISA's KEV

The news also prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the bug to its Known Exploited Vulnerabilities (KEV) catalog, giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch up or stop using PAN-OS-powered devices entirely.

Initially, the bug was given a medium-severity score, but since it escalated into real-life attacks, the rating has been elevated as well:

"Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the company said.

Different versions of PAN-OS are affected: 12.1 versions earlier than 12.1.4-h6 or 12.1.7, 11.2 versions earlier than 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12, 11.1 versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15, and 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6.

Prisma Access 10.2 and 11.2 deployments running vulnerable releases are also vulnerable. Palo Alto issued a staggered patch schedule starting May 15, 2026, with additional updates rolling out through May 28–29, 2026 depending on the PAN-OS version.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.