CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical Palo Alto Networks PAN-OS vulnerability, adding it to the Known Exploited Vulnerabilities (KEV) catalog. The agency warns this flaw is actively under exploitation in real-world attacks.

The vulnerability affects PAN-OS, the operating system that powers Palo Alto Networks firewalls. It enables attackers to bypass authentication mechanisms and establish unauthorized VPN access.

According to the official CVE record, CVE-2026-0257 is categorized as an authentication bypass issue linked to CWE-565.

The flaw allows remote attackers to circumvent security restrictions without valid credentials, potentially granting them direct access to internal network resources through VPN connections.

This type of weakness is particularly dangerous because it undermines perimeter defenses and enables attackers to operate as legitimate users within enterprise environments.

PAN-OS vulnerability exploited

CISA added the vulnerability to its KEV catalog on May 29, 2026, with a remediation due date of June 1, 2026, for federal agencies.

The inclusion in the KEV list confirms that exploitation has been observed in the wild. However, there is currently no public confirmation linking the flaw to specific ransomware campaigns.

However, security experts warn that authentication bypass vulnerabilities in network edge devices are frequently targeted by threat actors, including initial access brokers and advanced persistent threat groups.

The impact of this vulnerability is significant, especially for organizations that rely on PAN-OS to secure their remote access infrastructure.

Successful exploitation could allow attackers to gain persistent access, move laterally across networks, and potentially deploy additional malicious payloads.

Given the role of VPN gateways in enterprise environments, exploitation could result in data exfiltration, service disruption, or the further compromise of critical systems.

Palo Alto Networks has issued guidance and mitigation steps to address the vulnerability. Organizations are strongly advised to apply available security updates or patches immediately.

In cases where patches are not yet available or cannot be applied, CISA recommends following vendor-provided mitigation instructions and adhering to Binding Operational Directive (BOD) 22-01 for cloud and network services.

If mitigation is not feasible, discontinuing use of the affected product is advised to reduce exposure to risk.

Security teams should also review authentication logs, monitor VPN access patterns, and investigate any unusual or unauthorized connection attempts.

Indicators of compromise may include unexpected VPN sessions, anomalous login behavior, or access from unfamiliar IP ranges.

Proactive threat hunting and network monitoring are essential to detect potential exploitation attempts early. The addition of CVE-2026-0257 to the KEV catalog highlights the ongoing risk posed by vulnerabilities in network security appliances.

As attackers increasingly target edge infrastructure, timely patching and continuous monitoring remain critical to maintaining a secure enterprise environment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.