Palo Alto Networks Unit 42 reported active exploitation of a 7.8 CVSS PAN-OS Global Protect bypass bug that was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) on May 29.The Unit 42 researchers noted that no post-access behavior or lateral movement has been identified to date. “Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events,” said the researchers.Security pros saw this authentication bypass issue as serious because PAN-OS Global Protect serves as both a virtual private network (VPN) and a threat prevention tool. While there are a limited number of attackers, some were able to establish VPN connections on edge networks.Unit 42 advised organizations to hunt using the indicators of activity the researchers posted in a June 9 blog and activate incident response protocols for any successful gateway-connected events linked to those indicators. The researchers also said security teams should review the security advisory for CVE-2026-0257 and follow the available workarounds and mitigations or upgrade to a version that includes a fix for this issue.Alex Wells, head of product strategy at Hadrian, said the patching process worked exactly as designed: the vendor issued an advisory, released patches, threat intelligence was shared, the media reported it, CISA added it to KEV, and agencies had remediation deadlines.However, during this time, Wells said organizations remained exposed while active exploitation took place. Simply put, Wells said, now that zero-days are the norm, the system itself no longer works. “Organizations should stop assuming their systems are safe until proven otherwise,” said Wells. “They must assume insecurity and have immediate plans, either to patch swiftly or implement controls like lockdowns, especially for critical infrastructure such as VPNs. Vendors, too, need to rethink their disclosure processes. The gap between observing exploitation and issuing alerts must shrink — the current window is too wide.”Waseem Ahmed, head of engineering at Secure.com, said a 7.8 reads as high, yet not critical, the kind of score that waits behind the 9.8s in most patch queues. But Ahmed said attackers read it differently: they see an unauthenticated bypass straight onto a VPN.That gap represents the whole problem: CVSS measures theoretical severity, not what adversaries are doing to our edge systems right now, said Ahmed.“CISA put it on the KEV May 29 with a June 1 deadline, and it's still being exploited,” said Ahmed. “So the warnings worked, the model didn't. You can't out-patch attackers by treating severity scores as a 'to-do list' ranked top to bottom. Prioritize by active exploitation and exposure, not the number, which an internet-facing VPN under live attack jumps the queue, whether it's a 7.8 or a 9.8.”Ani Ursry, threat intelligence analyst at Blackpoint Cyber, said this CVE reminds us that knowing about a vulnerability and remediating it are two very different things. Ursry said many organizations still struggle with asset visibility, change management processes, maintenance windows, and competing priorities, which lead to delays in remediation even when exploitation is publicly known.“Threat actors understand this gap and routinely target vulnerabilities during the period between disclosure and widespread patch adoption,” said Ursry. “CVSS is useful for understanding technical impact, but it should not be the sole factor driving prioritization decisions. Once a vulnerability is being actively exploited in the wild, real-world attacker behavior becomes one of the most important risk indicators, often making exploitation status more relevant than the numerical score itself.”Agnidipta Sarkar, chief evangelist at ColorTokens, said beyond simply patching, organizations should implement microsegmentation to ensure critical assets are unreachable: use agentless EDR versions to deploy in hours and disable authentication override cookies unless strictly necessary for business operations.“This completely removes the attack vector,” said Sarkar. “Generate a dedicated certificate exclusively for authentication override cookie encryption/decryption. Then ensure it’s never reused for the GlobalProtect HTTPS portal, gateway, or any other feature.”
Vulnerability Management, Patch/Configuration Management
PAN-OS GlobalProtect bug actively exploited, added to CISA’s KEV list
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds