Vulnerability Management , Patch/Configuration Management PAN-OS authentication bypass bug added to list of exploited vulnerabilities June 1, 2026 Share By Steve Zurier (Adobe Stock) An exploited Palo Alto Networks PAN-OS authentication bypass vulnerability that was originally rated 4.7, then 7.8, has been upgraded to 9.1 after it was found that it was exploited in the wild and attackers could leverage it to gain VPN access. This case was a good example of how defenders should look more for the vulnerability at play versus the CVSS score. “The scoring movement here is a good reminder that we should use CVSS as a tool, not the whole risk conversation, and this one was easy to misread for those not living in vulnerability scoring every day,” said Douglas McKee, director of vulnerability intelligence at Rapid7. “Our understanding of the risk changed once exploitation showed up in the real world, and this is an unauthenticated, network reachable GlobalProtect portal and gateway issue that can allow an attacker to establish an unauthorized VPN connection.” Over the past few weeks, a combination of the following factors led to the upgrade by the National Vulnerabilities Database (NVD): a May 13 advisory on the bug by Palo Alto; confirmation by Rapid7 on May 29 that the bug was exploited in the wild; also on May 29, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 it to its Known Exploited Vulnerabilities (KEV) catalog. McKee explained that the original Palo Alto score was 4.7 using CVSS 4.0, then it moved to 7.8 using CVSS 4.0, while NIST now shows 9.1 using CVSS 3.1. “Those are not perfectly apples to apples numbers,” said McKee. “They are different versions of the scoring system, with different ways of modeling impact and exploitability.” Agnidipta Sarkar, chief evangelist at ColorTokens, pointed out that CVE-2026-0257 represents a textbook example of why CVSS scores should not drive patch prioritization in isolation. “Swift action by the NVD has resulted in an upgrade to a 9.1 critical rating for an authentication bypass on an internet-facing VPN appliance, weaponized within days of disclosure and now under active exploitation by a persistent threat actor, demands immediate action regardless of its label,” said Sarkar. Sarkar said the flaw is trivially easy to exploit because it requires no credentials, no brute-force, no social engineering, and no malware: just connect and attack, and threat actors can reach the enterprise edge, the side door. “No one is actually watching, because it grants an attacker a legitimate VPN session, often with an internal IP address and direct access to the corporate network,” said Sarkar. “It’s also difficult to spot. Because the forged cookie is decrypted and trusted by the appliance, the authentication appears as a legitimate ‘Cookie’ login in GlobalProtect logs.” Adrian Culley, senior sales engineer at SafeBreach, added that the bigger concern here is not the CVSS score itself, but the fact that exploitation has already occurred in the wild. Culley said security teams should identify exposed PAN-OS devices, apply vendor patches, review authentication and VPN access logs for suspicious activity, and validate whether an attacker who successfully exploits the flaw could move deeper into the environment. “History has shown that even medium-severity vulnerabilities can become high-impact incidents when they affect critical perimeter systems,” said Culley. “This is a good reminder that organizations need to validate whether compensating controls and segmentation actually stop post-compromise activity, rather than assuming patching alone eliminates risk." Steve Zurier Related Vulnerability Management Zapier security flaws could have exposed millions of user accounts SC Staff May 29, 2026 The flaws, disclosed by Token Security, did not require malware or insider access, only a free Zapier account. Vulnerability Management High-severity Starlette vulnerability ‘BadHost’ could expose sensitive data SC Staff May 27, 2026 The flaw, tracked as CVE-2026-48710, arises from the framework's handling of malformed Host headers. Vulnerability Management CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list Steve Zurier May 27, 2026 CISA warns of exploited LiteSpeed flaw putting shared hosting at risk. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds