Opinion / Commentary

Two PAN-OS GlobalProtect Authentication Bypasses in Three Months Is a Pattern, Not a Coincidence

CVE-2026-0257, a second actively exploited Palo Alto Networks GlobalProtect authentication bypass in the same three-month window as CVE-2026-0300, is not bad luck. It reflects the structural dynamics of high-value attack surface concentration: when enterprise VPN infrastructure is widely deployed, highly privileged, and technically complex, it attracts sustained, focused research from both legitimate researchers and threat actors.

CipherWatch Editorial · Security Intelligence Platform
4 min read

CVE-2026-0300 was a PAN-OS GlobalProtect RCE, actively exploited from early May. CVE-2026-0257 is a PAN-OS GlobalProtect authentication bypass, actively exploited from late May. Two separate vulnerabilities, two separate researchers, two separate exploitation campaigns, three months.

The natural first response is to critique Palo Alto Networks for producing a product with multiple critical vulnerabilities in a short window. That critique is not wrong, but it is incomplete. A second vulnerability in a different code path (RCE in one, session handling in the other) disclosed by different researchers in independent research is not the same as a vendor failing to fix the same bug twice. It is two independent discoveries in the same broadly targeted product.

The more useful question is why GlobalProtect specifically is attracting this research attention, and what it implies for how organisations should think about VPN infrastructure as an attack surface category.

Why GlobalProtect Is a High-Value Research Target

Attack surface concentration creates research incentives. A vulnerability in a widely deployed enterprise VPN gateway — one that processes unauthenticated external traffic and grants authenticated users internal network access — has high impact by definition. The value of finding that vulnerability is proportional to the deployment base.

GlobalProtect is deployed in tens of thousands of enterprise environments globally, including government, critical infrastructure, defence supply chain, and financial services. A single working authentication bypass in GlobalProtect is a skeleton key to a significant fraction of the world’s enterprise networks.

This makes GlobalProtect an attractive target for legitimate security researchers (who benefit from bug bounty payouts and conference presentations), criminal broker markets (who can sell working zero-days for six to seven figures), and nation-state intelligence operations (who derive direct operational value from persistent access to these environments).

The volume of research attention directed at a target is roughly proportional to the value of finding a bug in it. GlobalProtect’s deployment profile makes it one of the highest-value single attack surfaces in enterprise security. The research attention it attracts reflects that value.

This Is Not a Palo Alto Networks-Specific Problem

The same dynamics apply to every widely deployed enterprise VPN platform. Cisco AnyConnect/Secure Access, Juniper Pulse Secure (historically), Ivanti Connect Secure, Fortinet SSL-VPN, Citrix Gateway — all have documented histories of critical vulnerabilities with active exploitation. Ivanti’s SSL-VPN had a particularly notable 2024–2025 period. Fortinet’s SSL-VPN was systematically targeted by nation-state actors for years.

This is not evidence that all VPN vendors produce insecure products (though the security records vary). It is evidence that VPN gateways as a category are a persistent, high-value research target, and that any sufficiently complex internet-facing authentication component will yield exploitable bugs at some discovery rate. The rate of discovery has been increasing as the research community, criminal actors, and nation-states have all intensified their focus on perimeter access technologies.

The Structural Response

The appropriate response to sustained VPN vulnerability activity is not to wait for a VPN vendor with a clean record — there is no such vendor with equivalent deployment scale. The appropriate response is architectural.

Zero Trust Network Access (ZTNA) does not eliminate the VPN problem, but it changes its character. In a well-implemented ZTNA architecture, the VPN gateway is replaced by a broker that evaluates each application access request against device posture, user identity, and application-specific policy. Authentication bypass at the broker level still provides network access — but to specific applications rather than the entire internal network. The blast radius of a ZTNA authentication bypass is narrower than the blast radius of a traditional VPN gateway bypass.

This is not a theoretical argument. The documented post-exploitation impact of GlobalProtect authentication bypasses — lateral movement to domain controllers, credential theft, ransomware deployment — is the product of a VPN architecture that grants broad network access upon authentication. ZTNA’s application-specific access model would not prevent the initial authentication bypass but would constrain what the attacker could do with it.

The other structural response is patch velocity. Two GlobalProtect CVEs in three months means two emergency patches in three months. Organisations whose VPN patching SLA is measured in weeks are operating in a model where “patch quickly” is aspirational rather than operational. The GlobalProtect exploitation pattern in 2026 — where active exploitation is consistently documented within the first week or two of advisory publication — means a two-week patching SLA produces a consistent exposure window. Emergency VPN patch deployment procedures need to be defined, tested, and achievable in 24–48 hours.

CVE-2026-0257 will have a successor, in GlobalProtect or in another VPN platform. The pattern is structural. The defensive response needs to be structural too.

Share this article