Palo Alto Networks has confirmed that attackers are actively bypassing authentication on firewalls running its PAN-OS and Prisma Access software, a disclosure that prompted both the U.S. National Institute of Standards and Technology and the European Union’s CERT-EU to publish advisories within days of each other in June 2026. The vulnerability, tracked as CVE-2026-0257, lets remote attackers slip past login controls on internet-facing management interfaces, and the vendor says limited exploitation has already been observed in the wild.
Palo Alto Networks is one of the most widely deployed enterprise firewall vendors in the world, with tens of thousands of devices protecting corporate and government networks across every major industry. A flaw at this layer is not a single-application problem. Firewalls govern traffic between trusted internal networks and the open internet, so an attacker who bypasses authentication on the management plane can potentially rewrite security policies, intercept traffic, create rogue admin accounts, or pivot deeper into the environment without triggering the usual alarms.
What the official record shows
Two authoritative channels anchor the disclosure. The NVD entry, published by NIST, classifies CVE-2026-0257 as an authentication bypass and links directly to Palo Alto Networks’ own security advisory as the primary reference. NIST analysts review vulnerability submissions before they are cataloged, so the listing carries institutional weight: the flaw is real, formally classified, and serious enough to be entered into the U.S. government’s official vulnerability database.
Separately, CERT-EU published Security Advisory 2026-006, titled “Critical Vulnerability in PAN-OS,” providing independent public-sector validation and raising the alert level for government agencies and critical infrastructure operators across Europe. The near-simultaneous publication by agencies on two continents points to coordinated disclosure between Palo Alto Networks and major vulnerability-tracking bodies.
It is worth noting that an NVD listing is not the same as a formal alert from the Cybersecurity and Infrastructure Security Agency. As of this writing, CISA has not publicly added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, which would trigger mandatory patching deadlines for U.S. federal agencies. That addition may still come; CISA routinely updates the KEV catalog as exploitation evidence firms up.
What is still missing
Several critical details remain absent from the public record. Neither the NVD entry nor the CERT-EU advisory specifies which PAN-OS versions are vulnerable, whether the flaw affects all deployment modes or only certain configurations, or what exact mechanism attackers are using to get past authentication. The vendor advisory is referenced but not quoted in full by either source, so the precise technical root cause has not been independently described outside Palo Alto Networks’ own documentation.
The phrase “limited exploitation” appears in the disclosure context, yet no public source has released indicators of compromise, packet captures, or incident timelines showing how many organizations have been hit or what attackers did after gaining access. NIST’s record cites the vendor advisory but contains no independent reproduction of the exploit. CERT-EU’s advisory summarizes the vendor’s findings rather than presenting original forensic analysis. That means the scope of real-world exploitation rests entirely on Palo Alto Networks’ own assessment at this stage.
Patch availability is another open question. Both the NVD record and CERT-EU advisory reference the vendor’s guidance, but neither confirms a specific software update version that resolves the flaw. Organizations looking for remediation steps will need to consult Palo Alto Networks’ security portal directly until independent testing labs or additional government advisories confirm that a fix is effective and complete.
Why this class of vulnerability is so dangerous
Authentication bypass flaws in perimeter devices have a track record of causing outsized damage. In recent years, similar vulnerabilities in products from Fortinet, Ivanti, and Citrix led to widespread intrusions, including incidents attributed to state-sponsored groups. The pattern is consistent: attackers scan for exposed management interfaces, exploit the bypass before defenders can patch, and establish persistent access that survives routine remediation steps.
Firewalls are particularly high-value targets because compromising one can give an attacker visibility into, and control over, traffic flows across an entire organization. Unlike a vulnerability in a single web application, a firewall bypass can undermine every security control that sits behind it. That is why agencies like NIST and CERT-EU treat these disclosures with urgency, and why defenders should do the same.
What defenders should do now
Even without a confirmed patch version, security teams can take concrete steps to reduce exposure immediately.
Lock down management access. Inventory all PAN-OS and Prisma Access deployments and identify which instances have management interfaces reachable from untrusted networks. Those should be placed behind VPN gateways or dedicated jump hosts, restricted to strict IP allowlists, and monitored with additional logging. If remote management is not operationally required, disable it.
Hunt for signs of compromise. Review authentication logs on affected devices for unusual patterns: successful logins from unfamiliar source addresses, access events without corresponding failed-password entries, or new administrative accounts created outside normal change-control windows. Because CVE-2026-0257 involves bypassing authentication, attackers may appear to log in cleanly without triggering brute-force detection rules.
Prepare for the worst case. Coordinate with incident response teams on the assumption that a firewall compromise may have already occurred. That preparation should include plans to rotate all administrative credentials, validate configuration integrity against known-good baselines, and inspect adjacent systems for lateral movement. Given the central role these devices play, any confirmed breach may warrant a broader network-wide investigation.
Watch for the next wave of disclosures
The situation is moving quickly. Palo Alto Networks will almost certainly update its advisory with affected version numbers and patch details. CISA may add CVE-2026-0257 to the KEV catalog, which would formalize patching timelines for federal agencies and signal to the private sector that exploitation is confirmed beyond the vendor’s own telemetry. Threat-intelligence firms and managed security providers with their own sensor networks are likely analyzing traffic patterns right now; their findings will either corroborate or narrow the vendor’s “limited exploitation” assessment.
Until that independent confirmation arrives, the safest posture is to treat CVE-2026-0257 as a live, actively exploited threat. The cost of over-reacting to a firewall authentication bypass is a few hours of emergency hardening. The cost of under-reacting could be a full network compromise that takes months to unwind.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
