Latest Palo Alto Networks vulnerability: CVE-2026-0257 #
Palo Alto Networks (PAN) has disclosed that certain versions of PAN-OS are affected by an authentication bypass vulnerability in the GlobalProtect portal and gateway. Successful exploitation allows a remote, unauthenticated attacker to bypass security restrictions, establish an unauthorized VPN connection, and gain access to restricted networks. The vulnerability has been designated CVE-2026-0257 and has been rated high with a CVSS score of 7.8.
There is evidence that this vulnerability is being actively exploited in the wild. Note that the Rapid Response released on May 13, 2026 covered many of the affected versions of PAN-OS, but CVE-2026-0257 is somewhat more expansive in scope than CVE-2026-0263, and more versions are affected.
The following versions are affected
- PAN-OS 12.1: Versions 12.1.5 through 12.1.6, and 12.1.2 through 12.1.4-h*.
- PAN-OS 11.2: Versions 11.2.11 or later, 11.2.8 through 11.2.10-h*, 11.2.5 through 11.2.7-h*, and 11.2.0 through 11.2.4-h*.
- PAN-OS 11.1: Versions 11.1.14 or later, 11.1.11 through 11.1.13-h*, 11.1.8 through 11.1.10-h*, 11.1.7 through 11.1.7-h*, 11.1.5 through 11.1.6-h*, and 11.1.0 through 11.1.4-h*.
- PAN-OS 10.2: Versions 10.2.17 through 10.2.18-h*, 10.2.14 through 10.2.16-h*, 10.2.11 through 10.2.13-h*, 10.2.8 through 10.2.10-h*, and 10.2.0 through 10.2.7-h*.
Note: It is possible that older, unsupported PAN-OS versions are also vulnerable, but this has not been confirmed.
What is Palo Alto Networks PAN-OS?
#
PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.
What is the impact? #
Successful exploitation of the vulnerability would allow an attacker to establish an unauthorized VPN connection and gain access to protected networks.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- PAN-OS 12.1: Upgrade to version 12.1.4-h6, 12.1.7, or later.
- PAN-OS 11.2: Upgrade to version 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12, or later.
- PAN-OS 11.1: Upgrade to version 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15, or later.
- PAN-OS 10.2: Upgrade to version 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, or later.
- All older, unsupported PAN-OS versions: Upgrade to a supported, fixed version.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h6") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h7") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h14") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33") OR (os_version:>="10.2.17" AND os_version:<"10.2.18-h6") OR (os_version:>="10.2.14" AND os_version:<"10.2.16-h7") OR (os_version:>="10.2.11" AND os_version:<"10.2.13-h21") OR (os_version:>="10.2.8" AND os_version:<"10.2.10-h36") OR (os_version:>="10.2.0" AND os_version:<"10.2.7-h34"))
May 13, 2026: CVE-2026-0263 #
Palo Alto Networks (PAN) released a security advisory for a high buffer overflow vulnerability in the IKEv2 processing that allows an unauthenticated remote attacker to execute arbitrary code with elevated privileges or cause a denial of service.
- CVE-2026-0263 is rated high with CVSS score of 7.2, is a buffer overflow vulnerability and potentially allows for remote code execution with elevated privileges.
What is the impact? #
CVE-2026-0263 allows for an unauthenticated remote attacker to execute arbitrary code with elevated privileges or lead to a denial of service (DoS).
The vulnerability only affects PA-Series firewalls if IKEv2 VPN tunnels are configured with Post Quantum Cryptography (PQC).
Are updates or workarounds available? #
Within the advisory, Palo Alto recommends "configuring IKEv2 VPN tunnels only with NIST approved Post Quantum Cryptography (PQC) ciphers".
- PAN-OS 12.1: Upgrade to 12.1.7 or later,
12.1.4-h5 or 12.1.7 or later. - PAN-OS 11.2: Upgrade to 11.2.12 or later,
11.2.10-h6 or 11.2.12 or later,
11.2.7-h13 or 11.2.12 or later,
11.2.4-h17 or 11.2.12 or later. - PAN-OS 11.1: Upgrade to 11.1.15 or later,
11.1.13-h5 or 11.1.15 or later,
11.1.10-h25 or 11.1.15 or later,
11.1.7-h6 or 11.1.15 or later,
11.1.6-h32 or 11.1.15 or later,
11.1.4-h33 or 11.1.15 or later.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable PAN-OS systems:
hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR (os_version:>="12.1.2" AND os_version:<"12.1.4-h5") OR (os_version:>="11.2.11" AND os_version:<"11.2.12") OR (os_version:>="11.2.8" AND os_version:<"11.2.10-h6") OR (os_version:>="11.2.5" AND os_version:<"11.2.7-h13") OR (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR (os_version:>="11.1.14" AND os_version:<"11.1.15") OR (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR (os_version:>="11.1.0" AND os_version:<"11.1.4-h33"))
May 5, 2026: CVE-2026-0300 #
On May 5, 2026, Palo Alto Networks (PAN) released a security advisory for a critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) that allows an unauthenticated remote attacker to execute arbitrary code with root privileges.
- CVE-2026-0300 is rated critical with CVSS score of 9.3, is a buffer overflow vulnerability and potentially allows for remote code execution with root privileges.
On May 6, 2026, CISA announced that the vulnerability is actively being exploited and it was added to the Known Exploited Vulnerabilities (KEV) Catalog.
What is the impact? #
CVE-2026-0300 allows for an unauthenticated remote attacker to execute arbitrary code with root privileges, which can lead to complete system takeover.
The vulnerability only affects PA-Series and VM-Series firewalls if they're set up with the Captive Portal.
Are updates or workarounds available? #
Within the advisory, Palo Alto recommends restricting access to the Captive Portal to trusted internal IP addresses. Additionally, they advise following a set of best practices to secure device access.
Palo Alto Networks has a patch release scheduled for CVE-2026-0300 ranging between 5/15 through 5/28.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable PAN-OS systems:
hw:="Palo Alto Networks%" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND ((os_version:<"10.2.7-h34") OR (os_version:>"10.2.7-h34" AND os_version:<"10.2.10-h36") OR (os_version:>"10.2.10-h36" AND os_version:<"10.2.13-h21") OR (os_version:>"10.2.13-h21" AND os_version:<"10.2.16-h7") OR (os_version:>"10.2.16-h7" AND os_version:<"10.2.18-h6") OR (os_version:>="11.1" AND os_version:<"11.1.4-h33") OR (os_version:>"11.1.4-h33" AND os_version:<"11.1.6-h32") OR (os_version:>"11.1.6-h32" AND os_version:<"11.1.7-h6") OR (os_version:>"11.1.7-h6" AND os_version:<"11.1.10-h25") OR (os_version:>"11.1.10-h25" AND os_version:<"11.1.13-h5") OR (os_version:>"11.1.13-h5" AND os_version:<"11.1.15") OR (os_version:>="11.2" AND os_version:<"11.2.4-h17") OR (os_version:>"11.2.4-h17" AND os_version:<"11.2.7-h13") OR (os_version:>"11.2.7-h13" AND os_version:<"11.2.10-h6") OR (os_version:>"11.2.10-h6" AND os_version:<"11.2.12") OR (os_version:>="12.1" AND os_version:<"12.1.4-h5") OR (os_version:>"12.1.4-h5" AND os_version:<"12.1.7"))
From the Service Inventory you can use the following query to locate potentially vulnerable PAN-OS Captive Portals:
_service.favicon.ico.image.md5:c8c08bbe0b78b27d61002db456c741cc AND _service.http.code:="403" and (port:6080 OR port:6081 OR port:6082)
February 2025 (Multiple CVEs) #
On February 20, 2025, Palo Alto Networks updated another security advisory notifying customers of other active exploitation of vulnerabilities being chained together with CVE-2025-0108. In the advisory, CVE-2025-0111, with a CVSS score of 7.1, the vendor warns that an "authenticated attacker with network access to the management web interface" could gain read access to files accessible by the nobody user on the local filesystem.
On February 18, 2025 Palo Alto Networks confirmed that CVE-2025-0108 was being actively exploited in the wild. They also updated their advisory noting that the vulnerability could be chained together with other patched vulnerabilities including CVE-2024-9474.
On February 12, 2025 Palo Alto Networks (PAN) has issued multiple security advisories for vulnerabilities in PAN-OS.
- CVE-2025-0108 is rated high with a CVSS score of 7.8. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to bypass authentication and run certain scripts.
- CVE-2025-0109 is rated medium with a CVSS score of 5.5. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to delete certain files as the "nobody" user. This includes certain logs and configuration files but not system files.
What is the impact? #
An attacker that can access the web administration interface of a device running PAN-OS can execute certain scripts or delete certain files.
Are updates or workarounds available? #
Palo Alto has released updates to address these vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS"
November 2024 (Multiple CVEs) #
On November 18, 2024 Palo Alto Networks (PAN) issued a security advisory for a vulnerability that allows an unauthenticated attacker with access to the system's management PAN-OS web interface to gain administrator privileges on the device. There is limited evidence that CVE-2024-0012 is being exploited in the wild. This vulnerability is rated as critical with a 9.3 CVSS score.
What is the impact? #
An attacker that can access the web administration interface of a device running PAN-OS can gain administrative privileges on the system. This would allow the attacker control over the system, and additionally may allow the attacker paths to further exploits (for example, CVE-2024-9474).
Palo Alto has indicated that there is limited evidence of exploitation of this vulnerability in the wild. Palo Alto's Unit 42 research organization has authored a writeup on the vulnerability that includes some Indicators of Compromise (IoCs).
Note that CISA (the Cybersecurity and Infrastructure Security Agency) has added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities catalog.
Are updates or workarounds available? #
Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS"
CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465 #
Palo Alto Networks (PAN) updated a security advisory advising customers to restrict access to the management interface of Next-Generation Firewalls (NGFW) due to an actively exploited zero-day vulnerability.
CISA announced that CVE-2024-5910, which was patched in July, is actively being exploited and was added to the Known Exploited Vulnerabilities (KEV) Catalog. Although not directly affecting PAN-OS, this vulnerability affects the Expedition migration tool, which could contain API keys, administrator credentials, and/or PAN-OS device configuration information.
Additionally, CISA announced that both CVE-2024-9463 (CVSS 9.9) and CVE-2024-9465 (CVSS 9.3) are actively being exploited and were also added to the Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities also affect the Expedition migration tool.
What is the impact? #
Although no specific details of a remote code execution vulnerability were disclosed within the advisory, Palo Alto is actively investigating an active exploitation of a zero-day vulnerability against the management interfaces of NGFWs exposed to the public Internet.
CVE-2024-5910 allows for a remote attacker to reset application admin credentials on Expedition servers. Additionally, successful exploitation of the other two vulnerabilities above could allow for a remote attacker to execute arbitrary OS commands or reveal the contents of the underlying database.
Are updates or workarounds available? #
Within the advisory, Palo Alto recommends restricting access to the management interface. Additionally, they advise following a set of best practices to secure the management interface.
Palo Alto Networks released a patch for CVE-2024-5910 in July.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS" type:"Firewall"
How to find Expedition servers on your network #
From the Service Inventory you can use the following query to locate potentially vulnerable systems:
html.title:="Expedition Project"
October 10, 2024 vulnerabilities #
Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.
- CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for and execution of OS commands as root.
- CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
- CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
- CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
- CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.
If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis. According to the vendor, there was no known malicious exploitation of vulnerable systems at the time.
According to Palo Alto Networks, "The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions." They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.
CVE-2024-3400 #
Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software had a vulnerability that allowed for remote command injection.
CVE-2024-3400 was rated critical with CVSS score of 9.8 and indicated an unauthenticated attacker could execute arbitrary code with root privileges on the firewall. The vendor indicated that there was evidence of limited exploitation in the wild.
watchTowr posted a detailed analysis including the details needed for exploitation. This analysis covered two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that lead to remote execution through the telemetry script. PAN updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".
The following PAN-OS versions were affected by this vulnerability.
Version | Affected | Unaffected |
PAN-OS 11.1 | < 11.1.2-h3 | >= 11.1.2-h3 (hotfix ETA: By 4/14) |
PAN-OS 11.0 | < 11.0.4-h1 | >= 11.0.4-h1 (hotfix ETA: By 4/14) |
PAN-OS 10.2 | < 10.2.9-h1 | >= 10.2.9-h1 (hotfix ETA: By 4/14) |
Palo Alto Networks indicated that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.
Customers could verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry was enabled by checking the firewall web interface (Device > Setup > Telemetry).
Palo Alto Networks recommended that customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.
It was also recommended that telemetry be disabled until devices could be upgraded to an unaffected version of PAN-OS.
