Threats / Palo Alto Networks / CVE-2026-0257

CVE-2026-0257 · EUVD no mirror located · GCVE no mirror located Verified 2026-06-06

Palo Alto Networks PAN-OS vulnerability

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability allowing attackers to establish unauthorized VPN connections and bypass security restrictions.

Verdict

Today item — known-exploited.

An authentication bypass in PAN-OS enables unauthenticated threat actors to circumvent access controls and establish VPN sessions without valid credentials. Active exploitation in the wild increases operational risk for affected organizations.

CISA KEV Yes · 2026-05-29³EPSS 0.4785 (verify live)⁴

Is it exploitable?

— the evidence, ranked above the score

Exploited in the wild

Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-29).

CISA KEV ↗Confirmed

Probability (EPSS)

EPSS 0.4785 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.

FIRST EPSS ↗High

Severity / affected

Affected: Palo Alto Networks, PAN-OS. Confirm exact fixed builds in the vendor advisory.

NVD ↗Reported

Weakness (CWE)

Mapped to CWE-565 Reliance on Cookies — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.

NVD ↗Reported

WeaknessCWE-565 · Reliance on CookiesAuthentication

Who’s exploiting it?

— attribution turns risk into urgency

Attribution not established

No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.

Why it matters

— the attack path, told twice: adversary, then board

Front door — unauthenticated access narrative 1

Attacker

I craft a malicious request that bypasses the VPN authentication mechanism in PAN-OS.

Business

Unauthorized remote access to the network perimeter is established, creating an entry point for lateral movement and data exfiltration.

Keys to the kingdom — privilege/identity takeover narrative 2

Attacker

I establish a VPN session without providing valid credentials, gaining network access as an authenticated user.

Business

Internal network resources become accessible to external threat actors, elevating exposure to compromise of sensitive systems and data.

Lateral reach — past segmentation narrative 3

Attacker

I move laterally within the network to identify and compromise high-value targets.

Business

Critical infrastructure, intellectual property, and customer data face direct risk of theft, manipulation, or destruction.

What to do

— defensible action

Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.¹

Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

KEV listing (CISA)

EPSS probability (FIRST)

CWE weakness mapping (NVD)

Catalogued by palo_alto (CNA)

Named finder/reporter credit (CVE.org)

Coverage gaps — stated, not hidden

No EUVD / GCVE mirror in feed — single-authority dependency for the identifier.

EPSS & exposure are time-varying; verify live at the source.

Threat-actor attribution not established from feed data — absence of a name is not absence of compromise.

Disclosure & credit²

Catalogued by palo_altoCNA

Credited with finding itPalo Alto Networks thanks our internal security research teams for discovering and reporting this issue.other