CISA Known Exploited Vulnerability (KEV): This vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog on 2026-05-29 with a required action date of 2026-06-01. It is actively exploited in the wild.

CVE ID: CVE-2026-0257
Vendor: Palo Alto Networks
Product: PAN-OS
CVSS v3.1: 9.1 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS v4.0: 7.8 (HIGH)
CWE: CWE-565

What Is the Vulnerability

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the GlobalProtect portal and gateway. An unauthenticated attacker with network access to the GlobalProtect portal or gateway can bypass authentication and establish an unauthorized VPN connection. This effectively allows the attacker to access internal network resources as if they were a legitimate VPN user.

The vulnerability affects the GlobalProtect portal and gateway interfaces. Panorama and Cloud NGFW are not impacted by this issue.

Versions Affected

The following PAN-OS versions are vulnerable:

• 10.2.x branch: All versions < 10.2.7 (including 10.2.7-h1 through 10.2.7-h32), 10.2.8 through 10.2.16-h6
• 11.1.x branch: 11.1.0 through 11.1.14
• 11.2.x branch: 11.2.0 through 11.2.10-h1
• 12.1.x branch: 12.1.2 through 12.1.6
• Prisma Access: Specific versions (see vendor advisory)

Additionally, Siemens RUGGEDCOM APE1808 firmware is affected due to its use of PAN-OS.

Exploited?

YES — Actively Exploited in the Wild. This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog (added 2026-05-29). CISA reports active exploitation. The required action deadline for federal agencies was 2026-06-01 per BOD 22-01. CISA notes: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Fix

Upgrade to a fixed PAN-OS release:

• 10.2.x: 10.2.7 or later (including maintenance releases)
• 11.1.x: 11.1.15 or later
• 11.2.x: 11.2.11 or later
• 12.1.x: 12.1.7 or later

For Prisma Access, consult the vendor advisory for specific fixed versions. Siemens has released an advisory (SSA-967325) for affected RUGGEDCOM APE1808 firmware.

Recommendations

• Immediate: Apply the vendor-provided patches/upgrades as soon as possible.
• Workaround (if immediate patching not possible): Restrict network access to the GlobalProtect portal and gateway interfaces to trusted IP ranges only.
• Monitoring: Review VPN connection logs for unauthorized GlobalProtect connections from unknown sources.
• Federal agencies (BOD 22-01): The action deadline has passed (2026-06-01). Compliance requires immediate remediation or discontinuation.

References

• Palo Alto Networks Security Advisory for CVE-2026-0257 (Vendor Advisory)
• Siemens SSA-967325: Vulnerability in PAN-OS affecting RUGGEDCOM APE1808 (Third Party Advisory)
• CISA Known Exploited Vulnerabilities Catalog Entry (US Government Resource)
• NVD Entry for CVE-2026-0257

This post is part of the Vulnerability Intelligence series on threat-modeling.com. KEV status is indicated in the title, opening paragraph, and this callout per editorial policy.