On May 29, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog — ordering Federal Civilian Executive Branch agencies to patch a critical authentication bypass in Palo Alto Networks PAN-OS GlobalProtect by June 1. The same day, Palo Alto confirmed that the vulnerability was under active exploitation in the wild.

CVE-2026-0257 (CVSS score: 7.8) allows an unauthenticated attacker to bypass security restrictions on GlobalProtect portal and gateway configurations, establish unauthorized VPN connections, and gain access to the internal enterprise network. For financial institutions, banks, and regulated enterprises that rely on these firewalls for perimeter security, this is not just a patch management issue — it is a direct threat to the credential security and network integrity that protects customer assets and sensitive financial data. PureVPN — Secure Your Connection

What Is CVE-2026-0257? The Authentication Bypass Explained

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS software when the GlobalProtect portal or gateway is configured with authentication override cookies enabled and a specific certificate configuration exists. The vulnerability allows an attacker to bypass security restrictions and establish an unauthorized VPN connection without valid credentials.

Palo Alto Networks disclosed the vulnerability on May 13, 2026, and released patches for all affected PAN-OS versions. However, on May 29, the company updated its advisory to confirm that exploit attempts had been detected against unpatched devices that had not applied mitigations.

Key details of the vulnerability:

• Vulnerability: CVE-2026-0257 — GlobalProtect portal/gateway authentication bypass
• CVSS Score: 7.8 (High) — the severity reflects the ease of exploitation and the network access granted
• Exploitation Timeline: First wave detected May 17; second wave May 21 — both attributed to the same threat actor
• CISA Deadline: June 1, 2026 — all federal agencies must patch by today
• Affected Systems: PAN-OS firewalls with GlobalProtect portal or gateway, authentication override cookies enabled, and specific certificate configuration
• Impact: Unauthorized VPN session establishment grants attackers internal network access

The exploitation was first reported by Rapid7, which identified successful exploitation across numerous customers. The cybersecurity vendor noted that the second wave of attacks involved actual VPN IP assignment following cookie authentication in two cases, granting the attacker access to the internal network. While no follow-on malicious activity was detected in those environments, the access itself represents a severe compromise of the enterprise security perimeter.

This vulnerability follows a troubling pattern of authentication-focused exploits targeting enterprise edge devices. In the same week, Arctic Wolf reported continued weaponization of a critical FortiClient Endpoint Management Server vulnerability (CVE-2026-35616, CVSS 9.1) being used to deploy credential-stealing malware called EKZ Infostealer. Together, these incidents paint a clear picture: attackers are systematically targeting authentication mechanisms at the network edge.

Why This Matters for Financial Institutions and Regulated Enterprises

For banks, credit unions, investment firms, and insurance companies, a VPN represents more than just remote access — it is the authentication gateway through which employees access customer financial data, trading platforms, payment systems, and compliance reporting tools. An authentication bypass at this level means an attacker can navigate the internal network as though they were an authorized employee.

The Verizon 2026 Data Breach Investigations Report found that nearly 80% of web application breaches involve stolen or weak credentials. But CVE-2026-0257 is different: it does not require stolen credentials at all. The bypass operates at the authentication layer itself, meaning even organizations with strong password policies and multi-factor authentication (MFA) can be compromised if their GlobalProtect configuration exposes this path.

This has direct implications for regulatory compliance. Financial institutions subject to PCI-DSS v4.0 requirements must maintain strict access controls over any system that processes, stores, or transmits cardholder data. Our full guide to PCI-DSS v4.0 password requirements for financial accounts covers the 12-character minimum, breach corpus checking, and access control standards that apply here. But none of these standards protect against an authentication bypass that entirely skips the credential verification step.

The Authentication Paradox: When Bypasses Trump Strong Passwords

One of the most concerning aspects of CVE-2026-0257 is that it exposes a fundamental weakness in how enterprises think about authentication security. Most organizations invest heavily in password policies, MFA deployment, and credential management — and rightly so. But authentication bypass vulnerabilities like this one render those investments irrelevant because the attacker never needs to present a credential in the first place.

The security industry has spent years telling users to create stronger passwords, enable two-factor authentication, and use password managers. These are essential practices, but they assume the authentication system works as designed. When a vulnerability allows an attacker to skip authentication entirely, all the strong passwords in the world provide no protection.

This is why a layered security strategy — sometimes called defense in depth — is critical for enterprises. For most organizations, this starts with a robust three-tier password strategy that categorizes credentials into high-security, medium-security, and low-risk tiers, but the strategy must extend across the entire enterprise security stack:

• Tier 1 — Perimeter Security: Firewalls, VPNs, and network access controls must be patched and configured correctly. Authentication bypass vulnerabilities at this level expose everything behind them.
• Tier 2 — Authentication and Access Control: Strong password policies, MFA, and role-based access control limit what an attacker can do even if they breach the perimeter.
• Tier 3 — Credential Management: Enterprise password managers with policy enforcement, breach detection, and credential rotation ensure that even if credentials are exposed, the blast radius is contained.

For the PAN-OS GlobalProtect bypass, the immediate fix is patching. Palo Alto Networks has released patches for all affected versions. For organizations that cannot patch immediately, the temporary mitigations are to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature.

Enterprise Password Policies: Your Last Line of Defense

While authentication bypass vulnerabilities bypass credential checks entirely, strong enterprise password policies remain essential for mitigating what happens after a bypass. Once an attacker gains VPN access to the internal network, the next step is almost always credential theft — extracting password hashes, scanning for stored credentials, and attempting lateral movement using default or weak passwords.

The National Institute of Standards and Technology (NIST) updated its digital identity guidelines (NIST SP 800-63B) to emphasize that length trumps complexity for password security. The guidance recommends minimum 16-character passwords for all user accounts, and explicitly advises against periodic password rotation. Organizations should:

1. Enforce minimum password length of 16 characters — not the outdated 8-character standard that remains common across many enterprises. A 16-character password provides exponentially more entropy and resistance to brute-force attacks.
2. Deploy enterprise password managers — solutions like Keeper Business and Dashlane Business enforce password policies at scale, generate cryptographically random credentials, and provide automated breach detection across employee accounts. 🎓 Save 50% Off
3. Implement FIPS-compliant password generation — for organizations subject to federal compliance requirements, the password generation process must meet FIPS 140-2 or FIPS 140-3 standards for cryptographic strength. The Titan Passwords generator meets these standards for enterprise use.
4. Use hardware security keys for MFA — hardware keys (FIDO2/U2F) authenticate directly via USB or NFC without depending on any cloud service. For a detailed comparison of MFA methods for financial accounts, see our guide to MFA for financial accounts: hardware keys vs TOTP vs SMS.
5. Conduct regular credential audits — use breach-corpus checking to identify passwords that have been exposed in known data breaches. The PCI-DSS v4.0 now requires this as part of its password security recommendations.

For financial institutions, the Financial Conduct Authority (FCA) and the European Banking Authority (EBA) have published specific guidance on operational resilience that includes credential management. Organizations should review their NIST SP 800-53 controls and ensure authentication mechanisms are covered by incident response plans. Our incident response guide for compromised financial accounts provides a step-by-step checklist.

Patch Management: The CISA June 1 Deadline

CISA added CVE-2026-0257 to its KEV catalog on May 29, 2026, giving federal agencies until June 1 — today — to patch the vulnerability. While the KEV catalog is a federal requirement, it serves as a benchmark for all organizations: if the vulnerability is severe enough for CISA to mandate patching within three days, every enterprise should treat it with the same urgency.

For organizations that use Palo Alto firewalls, the patching process should be treated as a critical priority:

• Identify all PAN-OS devices with GlobalProtect portal or gateway enabled
• Check if authentication override cookies are enabled in the configuration
• Apply the latest PAN-OS security patch from Palo Alto Networks
• If patching is delayed, disable authentication override as an immediate mitigation
• Generate a new certificate exclusively for the authentication override feature if it cannot be disabled
• Monitor VPN logs for unauthorized authentication attempts

Rapid7 has published a detailed technical analysis of the exploitation patterns observed in the wild. The cybersecurity vendor noted that the earliest exploitation attempts date back to May 17, 2026 — meaning attackers had already weaponized the vulnerability within four days of the advisory being published. This aligns with a broader trend: the time between vulnerability disclosure and exploitation is shrinking dramatically, driven in part by AI-assisted attack automation.

Organizations in India have received guidance from CERT-In to patch actively exploited vulnerabilities within 12 hours where feasible, reflecting the speed at which threats now materialize. The agency warned that AI-assisted attacks are compressing the gap between disclosure and exploitation, and recommended 24-hour remediation for critical externally exposed vulnerabilities.

For enterprises that rely on virtual private network connections for remote access, this patch urgency is compounded by the nature of the vulnerability. Unlike a client-side vulnerability that requires user interaction, CVE-2026-0257 operates server-side and can be exploited remotely without any action from employees. This makes it a prime candidate for automated scanning and mass exploitation campaigns.

Building a Credential-Secure Enterprise: Beyond Patching

Patching CVE-2026-0257 is the immediate priority, but financial institutions and regulated enterprises should use this incident as a catalyst for broader credential security improvements. The fundamental lesson of the PAN-OS GlobalProtect bypass is that authentication mechanisms — even from trusted vendors — can fail at the protocol level, and organizations need layered defenses that protect credentials regardless of how the attacker enters the network.

For enterprise password management: Solutions like Keeper Business provide FIPS 140-2 validated encryption, mandatory MFA enforcement, and automated password rotation for service accounts. When an attacker gains internal network access through a VPN bypass, a properly deployed enterprise password manager prevents them from extracting usable credentials from configuration files, scripts, and shared documents. The Kaspersky Enterprise Security suite adds endpoint protection and credential-theft detection as an additional layer.

For VPN and remote access security: When employees connect to enterprise networks from public or untrusted Wi-Fi — such as hotel networks during business travel — a secondary VPN layer provides defense against network-level attacks that could expose credentials even before they reach the corporate VPN gateway. Hide My Name VPN encrypts the connection between the employee device and the internet, ensuring that pre-VPN traffic is not exposed to network-level snooping or man-in-the-middle attacks.

FAQs

Does CVE-2026-0257 affect all Palo Alto firewalls?

No. The vulnerability specifically affects PAN-OS firewalls where the GlobalProtect portal or gateway is configured with authentication override cookies enabled AND a specific certificate configuration exists. Organizations that do not use GlobalProtect, do not have authentication override enabled, or have a different certificate configuration are not affected.

Is the PAN-OS bypass being actively exploited?

Yes. Palo Alto Networks confirmed active exploitation attempts on May 29, 2026. Rapid7 identified two waves of exploitation dating back to May 17, with the second wave on May 21 successfully establishing VPN sessions in at least two customer environments. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29.

Can MFA protect against this authentication bypass?

No. CVE-2026-0257 is an authentication bypass, meaning it allows an attacker to establish a VPN session without providing any credentials at all. Since the attacker never reaches the MFA step, MFA provides no protection against this specific exploit. This is why patching is critical regardless of MFA deployment.

What is the difference between CVE-2026-0257 and the FortiClient EMS vulnerability?

Both target enterprise edge devices but in different ways. CVE-2026-0257 (PAN-OS, CVSS 7.8) is an authentication bypass that grants VPN access without credentials. CVE-2026-35616 (FortiClient EMS, CVSS 9.1) is a critical vulnerability being exploited to deliver credential-stealing malware (EKZ Infostealer) to compromised systems. Together, they illustrate that enterprise authentication infrastructure is under coordinated attack.

What should financial institutions do beyond patching?

Beyond applying the PAN-OS patch, financial institutions should audit their entire authentication infrastructure for similar bypass risks, ensure enterprise password managers are enforced with mandatory MFA for all administrator accounts, review certificate configurations on all edge devices, and verify that incident response plans cover authentication bypass scenarios. The PCI-DSS v4.0 requirements for access control and credential management provide a useful framework for this audit.

Bottom Line

CVE-2026-0257 is a stark reminder that enterprise security depends on more than strong passwords and comprehensive MFA deployment. Authentication infrastructure itself can be compromised, and when it is, every credential behind that gateway is at risk. For financial institutions and regulated enterprises, the path forward is clear: patch immediately, diversify authentication mechanisms, and ensure that enterprise credential management is robust enough to contain the damage when perimeter defenses are breached.

To generate strong, FIPS-compliant passwords for your organization, use the Titan Passwords FIPS-compliant password generator.

This page contains affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you.

class="related" style="margin-top:48px;padding-top:32px;border-top:1px solid var(--s2)">

Related Articles