- Critical PAN-OS flaw exploited in the wild
- Authentication bypass enables unauthorized VPN access
- CISA added CVE-2026-0257 to the KEV catalog
A recently discovered vulnerability in PAN-OS, the operating system that powers Palo Alto’s firewalls, is being actively exploited in the wild, researchers say, urging customers to apply the included patch as soon as possible.
In mid-May of this year, Palo Alto disclosed an authentication bypass flaw in the Global Protect portal and gateway that allows threat actors to bypass security restrictions and establish an unauthorized VPN connection. The bug is now tracked as CVE-2026-0257 and assigned a severity score of 9.1/10 (Critical).
Earlier this week, security researchers told Rapid7 that they saw threat actors successfully exploiting this flaw in attacks: “Rapid7 MDR identified successful exploitation across multiple clients, but we did not observe any indication of successful lateral movement from the devices,” Rapid7 said in its report. “The earliest date of observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to CISA KEV.”
Added to CISA’s KEV
The news also prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its catalog of known exploited vulnerabilities (KEV), giving Federal Civilian Executive Branch (FCEB) agencies a deadline to completely patch or stop using PAN-OS-powered devices.
Initially, the bug was given a medium severity score, but since it escalated into real attacks, the rating has also been increased:
“Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without restrictions,” the company said.
Different versions of PAN-OS are affected: 12.1 versions earlier than 12.1.4-h6 or 12.1.7, 11.2 versions earlier than 11.2.4-h17, 11.2.7-h14, 11.2.10-h7 or version 11.1.11, earlier than 11.2.11. 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 or 11.1.15 and 10.2 versions earlier than 10.2.7-h34, 10.26, 10.26, 10.26, 10.26, 10.26. 10.2.16-h7 or 10.2.18-h6.
Prisma Access 10.2 and 11.2 deployments running vulnerable releases are also vulnerable. Palo Alto issued a staggered patch schedule starting May 15, 2026, with additional updates rolling out through May 28-29. May 2026 depending on the PAN-OS version.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
