Breach Horizon
vulnerabilities

PAN-OS Auth Bypass CVE-2026-0257: Patch Your Firewall Now

Breach Horizon EditorialJun 2, 20266 min readReviewed by Laurens Vanhaecke

What's Happening

A critical authentication bypass vulnerability in Palo Alto Networks PAN-OS is now on CISA's Known Exploited Vulnerabilities catalog. CVE-2026-0257 allows an unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection to your network — no credentials required.

CISA added this on May 29, 2026, with a remediation due date of June 1, 2026. That's a three-day window, which tells you everything you need to know about how serious they consider active exploitation risk to be. If you run PAN-OS firewalls — and if you're an MSP or SMB with any modern network security stack, there's a decent chance you do — this needs to land at the top of your queue today.


What the Vulnerability Actually Does

CVE-2026-0257 is classified under CWE-565, which covers reliance on cookies without validation of their integrity. In plain terms: PAN-OS isn't properly verifying something it should be treating as authoritative, and an attacker can exploit that gap to slip past authentication entirely.

The practical impact is severe:

  • Unauthorized VPN tunnel establishment — An attacker can stand up a VPN connection into your network without ever supplying valid credentials
  • No foothold required — This is a pre-authentication bypass, meaning exploitation happens before any legitimate session exists
  • Perimeter bypass — Your firewall is supposed to be the thing enforcing access control. This vulnerability turns it into an open door

Once an attacker has an active VPN tunnel, they're inside your network perimeter. From there, lateral movement, credential harvesting, data exfiltration, and ransomware staging all become significantly easier. The blast radius here isn't just the firewall — it's everything behind it.


Who's at Risk

Palo Alto Networks PAN-OS is the operating system running on PA-Series firewalls and VM-Series virtual firewalls. It's one of the most deployed enterprise and mid-market firewall platforms in existence, which is exactly why this vulnerability is high-value for attackers.

You should treat this as actively relevant if:

  • You manage PAN-OS firewalls for your own organization or for client environments
  • You run GlobalProtect VPN on PAN-OS
  • You have internet-facing PAN-OS management interfaces (which you shouldn't, but let's be honest about how many environments look in practice)
  • Any of your clients are in regulated industries — healthcare, finance, legal — where a perimeter breach carries compliance and notification consequences on top of the operational damage

MSPs specifically: if you're managing firewall infrastructure for multiple clients, you need to audit every PAN-OS deployment in your RMM or documentation system right now. One unpatched device across your client base is one active incident waiting to happen.


What You Need to Do

Palo Alto Networks has published their advisory at https://security.paloaltonetworks.com/CVE-2026-0257. That's your primary source for version-specific patch information. Here's how to move through this systematically.

Step 1: Inventory your PAN-OS deployments

Pull a list of every PAN-OS device in your environment. If you're using Panorama for centralized management, you can get this from Device > Managed Devices. If you're managing devices individually, check each one. Document the current PAN-OS version running on each device.

Step 2: Check the Palo Alto advisory for affected versions

The vendor advisory will specify which PAN-OS versions are vulnerable and which versions contain the fix. Cross-reference your inventory against the affected version list. Don't assume anything — check every device explicitly.

Step 3: Apply patches

Follow the upgrade path in the Palo Alto advisory. PAN-OS upgrades require downloading the target software package, staging it, and scheduling the upgrade. For production firewalls:

  • Schedule maintenance windows — PAN-OS upgrades require a reboot
  • Test in lower-priority environments first if you have them
  • Verify HA (high availability) failover behavior before patching your primary node in a pair
  • Confirm the upgrade completed successfully and the device is running the patched version before closing the change ticket

Step 4: If you can't patch immediately, apply mitigations

CISA's required action references vendor mitigation guidance as an acceptable interim measure. Check the Palo Alto advisory for available workarounds — these may include disabling specific features, restricting access to management interfaces, or applying Threat Prevention signatures if you have that subscription. Mitigations are not a substitute for patching, but they reduce exposure while you work through a patching queue.

Step 5: Review VPN connection logs

Given that this vulnerability enables unauthorized VPN tunnel establishment, pull your GlobalProtect and VPN logs and look for anomalies:

  • Connections from unexpected geographic locations
  • Connection attempts at unusual hours
  • Successful authentications from IP addresses not associated with known users
  • Multiple failed attempts followed by a successful connection (bypass attempts often look like this)

If you find anything suspicious, treat it as a potential active compromise and initiate your incident response process.

Step 6: Verify management interface exposure

While you're in here: confirm that your PAN-OS management interfaces are not exposed directly to the internet. This is basic hygiene, but it's worth verifying under the context of an active VPN bypass vulnerability. Management access should be restricted to dedicated management networks or accessed via out-of-band methods.


For MSPs Managing Multiple Clients

This is where things get operationally heavy fast. Here's how to handle scale:

  • Prioritize internet-facing deployments first. Devices with GlobalProtect portals or gateways exposed to the internet are your highest-risk assets. Patch those before anything else.
  • Use Panorama if you have it. Panorama can push software packages and orchestrate upgrades across managed devices. If you're managing more than a handful of PAN-OS instances, manual device-by-device patching is going to be slow. Panorama's Software section under Device Deployment is your friend here.
  • Communicate with clients proactively. Don't wait for clients to ask about this. Send a brief notification explaining that a critical vulnerability has been discovered in their firewall platform, that you're actively patching, and what your timeline looks like. This is both good service delivery and liability management.
  • Document everything. For every device you patch: record the pre-patch version, post-patch version, patch date, and who performed the work. CISA KEV compliance documentation requirements are only going to get stricter.

Context: Why the CISA KEV Listing Matters

CISA doesn't add vulnerabilities to the Known Exploited Vulnerabilities catalog speculatively. A listing means there is evidence of active exploitation in the wild. The three-day remediation window for federal agencies (per BOD 22-01) is unusually tight even by KEV standards, which signals that exploitation is happening now, not in some theoretical future scenario.

The KEV also has direct implications beyond federal compliance. Many cyber insurance carriers now reference CISA KEV status when evaluating claims. If you have a breach involving a KEV-listed vulnerability that was unpatched past the due date, you may face coverage complications. Some vendor contracts and compliance frameworks are beginning to incorporate KEV timelines as well.

Bottom line: the KEV listing isn't just a government concern. It's a signal that the broader threat landscape is actively targeting this vulnerability, and your clients' insurers and auditors are paying attention to whether you acted on it.


Quick Reference

Patch it. Review your logs. If you're an MSP, get this into your queue for every client running PAN-OS. The three-day federal window has likely already passed by the time you're reading this — that doesn't mean you're off the hook, it means you're behind.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.