The flaw allows attackers to establish unauthorized VPN access into corporate networks and is being actively exploited in the wild. Rapid7 observed successful exploitation across numerous customers, with attackers beginning to exploit the bug as early as May 17, four days after Palo Alto published fixes. The vulnerability enables a fully credential-less authentication bypass, allowing attackers to create a forged cookie using a publicly available public key to establish a VPN session without malware or stolen credentials.
| Vendor | Product | Versions |
|---|---|---|
| palo alto networks | pan-os | 12.1.0, 11.2.0, 11.1.0, 10.2.0, 10.2.0, 11.2.0, 12.1, 11.2, 11.1, 10.2, Prisma Access 10.2, Prisma Access 11.2, Prisma Access 11.2.0, Prisma Access 10.2.0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| palo alto networks | pan-os | cert_advisory | 90% |
| palo alto networks | prisma_access | cve_cpe | 95% |
Updated description with significant technical details, changed severity to CRITICAL, and added new CWE-287.
Updated affected versions with Prisma Access versions, added new IoCs, and included the tag for Known Exploited Vulnerabilities.
Updated description with details on exploitation attempts and added CVE-2026-0257 as a tag.
Updated severity to HIGH, CVSS score to 7.8, and added new affected versions including Prisma Access.
Updated severity to HIGH, marked exploit as available, and added KEV tag.
Updated severity to HIGH, confirmed active exploitation, and added new IoCs related to the attacks.
Updated description with detailed exploitation information, changed severity to CRITICAL, added CVSS estimate of 7.5, and included new IoCs and tags.
Updated description with critical vulnerability details, changed severity to CRITICAL, and noted that no exploit exists.
Initial creation
