โ† CIO Briefings ยท Critical Impact ACTION REQUIRED

VPN Security Alert: Attackers Bypassing Palo Alto Networks VPN Passwords in Second Active Exploitation Wave

Attackers are actively bypassing password authentication on Palo Alto Networks GlobalProtect VPN systems without needing valid credentials. CISA has added the vulnerability to its mandatory patch list. Organisations using GlobalProtect VPN must apply patches immediately; all systems that have been internet-facing while on vulnerable software versions should be forensically reviewed for prior access.

4 min read
#NIS2#DORA#ISO-27001

What Happened

Security researchers and incident responders have confirmed that attackers are actively exploiting a vulnerability in Palo Alto Networks GlobalProtect VPN โ€” one of the most widely deployed corporate VPN systems worldwide. The vulnerability allows attackers to connect to your corporate VPN as if they were a legitimate employee, without needing a username or password.

This is a second wave of confirmed attacks. The first wave targeted specific high-value organisations; the current wave is broader, with automated scanning and exploitation detected across multiple sectors including manufacturing, healthcare, and government.

CISA has added this vulnerability to its official catalogue of vulnerabilities known to be exploited by attackers and has set 1 June 2026 as the mandatory patch deadline for US federal government agencies. The same urgency applies to all organisations using this VPN technology.

Business Impact

An attacker who successfully exploits this vulnerability gains VPN access to your internal network โ€” the same level of access as an employee working remotely. From that position, the attacker can:

  • Access internal systems and data: Any system accessible from the corporate VPN can be targeted โ€” file servers, databases, internal applications, email systems, finance systems
  • Steal credentials: Once inside the VPN, attackers use standard techniques to capture employee usernames and passwords, often targeting Active Directory
  • Deploy ransomware: VPN access is the most common entry point for ransomware deployments โ€” attackers enter through VPN, spread through the network, and deploy encryption before leaving
  • Conduct espionage: Nation-state actors targeting government, defence, and critical infrastructure use VPN authentication bypasses to establish persistent access for intelligence collection

Regulatory Implications

NIS2 essential and important service operators should assess this vulnerability against their significant incident reporting threshold โ€” an active authentication bypass on VPN infrastructure affecting the network security of the operator is likely to meet the bar. DORA financial entities should assess impact on ICT system availability and access control. Report within the applicable timeframes if the threshold is met.

Board-Ready Summary

  • Attackers can currently log into our VPN without a password. This is an actively exploited attack being used right now against organisations in multiple sectors.
  • The fix is a software update that must be applied urgently. Our IT team is working on applying this update.
  • We must also check whether anyone used this technique to access our systems before we applied the fix.

  1. Apply patches immediately (today): Upgrade PAN-OS to the patched version for your branch:

    • PAN-OS 10.2 โ†’ update to 10.2.8 or later
    • PAN-OS 11.1 โ†’ update to 11.1.4 or later
    • PAN-OS 11.2 โ†’ update to 11.2.2 or later
    • PAN-OS 12.1 โ†’ update to 12.1.1 or later

  2. Forensically review the exposure window: Any GlobalProtect gateway on vulnerable software that has been internet-facing must be treated as potentially compromised. Engage your security operations team or an incident response provider to review VPN authentication logs for the exposure period.

  3. Cross-reference VPN logs against identity provider logs: Legitimate VPN connections generate authentication events in your identity provider (Entra ID, Okta, Active Directory). Connections that appear in GlobalProtect logs but not in identity provider logs are suspicious and should be investigated.

  4. Restrict VPN access scope while patching: If immediate patching is not possible in the next 24 hours, restrict GlobalProtect gateway access to specific IP addresses associated with known users (static home office IPs, corporate mobile egress IPs) to limit the exploitation surface.

  5. Brief your incident response team: Ensure your incident response team is aware of the active exploitation. If indicators of compromise are found during the log review, activate your incident response plan immediately.