Palo Alto Networks Issues Urgent Security Patch Following Active Exploitation of Authentication Bypass Vulnerability
TL;DR
Image courtesy of The Hacker News
If you’re running Palo Alto Networks infrastructure, stop what you’re doing and check your patch logs. The company just dropped critical security updates for PAN-OS and Prisma Access, and for once, this isn't just routine maintenance. We are looking at active, in-the-wild exploitation.
The situation centers on two primary headaches: a nasty authentication bypass (CVE-2026-0257) that lets attackers waltz into your VPN, and a management interface flaw (CVE-2025-0108) that hackers are chaining with other bugs to gain a foothold. Palo Alto Networks has confirmed that while the exploitation is currently limited, it is happening. Unpatched devices are essentially sitting ducks.
The VPN Problem: CVE-2026-0257
Let’s talk about the big one first. CVE-2026-0257 is a CVSS 7.8 nightmare for any enterprise relying on GlobalProtect for remote access. At its core, this flaw allows an unauthenticated attacker to bypass security checks and initiate a VPN session. It’s the digital equivalent of someone walking through your front door because the lock was installed backward.
The vulnerability specifically targets configurations where the GlobalProtect portal or gateway is live and certain conditions regarding certificate setups and authentication override cookies are met. As reported by The Hacker News, Palo Alto Networks first flagged this issue on May 13, 2026. By May 29, the first confirmed exploit attempts were hitting the wild. If you haven't patched this yet, you are officially behind the curve.
Management Interface Risks: CVE-2025-0108
While the VPN bypass might grab the headlines, don't sleep on CVE-2025-0108. It’s a medium-severity issue (CVSS-BT 5.1) affecting the PAN-OS management web interface, but don't let that "medium" rating fool you.
The flaw allows an unauthenticated attacker with network access to the management interface to trigger specific PHP scripts. The real danger here isn't the vulnerability in isolation; it’s how attackers are using it. We’ve seen evidence of threat actors chaining this bug with two older vulnerabilities—CVE-2024-9474 and CVE-2025-0111—to escalate their impact. It’s a classic "death by a thousand cuts" scenario where several smaller flaws add up to a full system compromise.
Vulnerability Impact Summary
| Vulnerability ID | Primary Impact | CVSS Score |
|---|---|---|
| CVE-2026-0257 | Unauthorized VPN access | 7.8 |
| CVE-2025-0108 | Management interface bypass | 5.1 |
How to Lock Down Your Environment
Patching is the non-negotiable first step. If you aren't on the latest version of PAN-OS or Prisma Access, you’re leaving the door wide open. But because these vulnerabilities are being actively weaponized, you need to go beyond just hitting the "update" button. You need to harden your configuration.
- Update Immediately: Get your instances to the latest vendor-provided versions. There is no workaround for the underlying code flaw.
- Restrict Management Access: For CVE-2025-0108, the best defense is to stop the management interface from being accessible to the public internet. Restrict access to trusted internal IP addresses only. If you need a refresher on how to do this, check out the official guidance on securing management access.
- Audit GlobalProtect: Take a hard look at your portal and gateway settings. Ensure your authentication override cookies are following security best practices and that your certificate configurations aren't creating an unintentional bypass vector.
- Watch the Logs: Your security team should be hunting for unusual PHP script calls on the management interface. If you have legacy vulnerabilities like CVE-2024-9474 or CVE-2025-0111 still lingering in your environment, you are a prime target for these chained attacks.
The CVSS v4.0 framework highlights just how critical this is. When active exploitation is confirmed, the clock is ticking. The combination of unauthenticated access and the ability to execute scripts on management interfaces is a recipe for a total infrastructure collapse.
Keep a close eye on the Palo Alto Networks security portal. This is a fluid situation, and as the investigation into these campaigns continues, more guidance will likely emerge. Don't wait for a breach notification to take action—secure your perimeter now.
