ctipilot.ch

Home · Live brief · Weekly 2026-W22

CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor

high synthesis discovered 2026-05-25 05:00 UTC

Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)

If you did nothing this week: internet-exposed PAN-OS GlobalProtect portals without the patch or mitigations applied are being authentication-bypassed now. Palo Alto's PSIRT confirms "limited exploit attempts on unpatched PAN-OS devices," and Rapid7 MDR observed a second exploitation wave on 21 May that — on a consistent MAC address across both waves — it assesses to be the same threat actor.

The flaw is a pre-auth bypass via certificate reuse in the GlobalProtect authentication path (CVSS 7.8, first covered 2026-05-30). It is now on the CISA KEV catalogue. The CVSS understates the operational severity: a working pre-auth bypass on an edge VPN that fronts the whole estate is an initial-access primitive, and a second wave indicates the actor is iterating rather than spraying once. This item also closes the loop on last week's PAN-OS watch arc — W21 flagged the wave-2 PAN-OS patch builds as something to watch into this window. Patch immediately, and audit for attacker-created rogue administrator accounts before patching — the patch can wipe implant artefacts that would otherwise evidence a prior compromise.

“If you did nothing this week: internet-exposed PAN-OS GlobalProtect portals without the patch or mitigations applied are being authentication-bypassed now.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth auth-bypass cisa-kev patch-available global CVE-2026-0257