Palo Alto PAN-OS Authentication Bypass Exposes CAS-Enabled Firewalls and Panorama
Palo Alto Networks released security advisories for multiple PAN-OS branches after disclosing several serious flaws, including CVE-2026-0265, an authentication bypass caused by a signature verification weakness when Cloud Authentication Service (CAS) is enabled and attached to a login interface. The issue affects PA-Series, VM-Series, and Panorama deployments, while Cloud NGFW and Prisma Access are not affected. Palo Alto also warned of a heap-based buffer overflow in the DNS Proxy and DNS Server that could enable unauthenticated remote code execution, as well as a separate remote code execution flaw in IKEv2 processing across supported releases including 12.1, 11.2, 11.1, and 10.2.
The Canadian Centre for Cyber Security urged administrators to review Palo Alto’s advisories, apply mitigations, and install updates, with fixes already issued for many affected versions and additional patches expected for some branches. Rapid7 said organizations using CAS should prioritize emergency patching rather than depend on workarounds, while researcher Harsh Jaiswal of HacktronAI publicly claimed successful exploitation of the authentication bypass against multiple companies’ GlobalProtect portals to obtain VPN access; Palo Alto had not confirmed in-the-wild exploitation as of May 14.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Bishop Fox publishes CVE-2026-0265 detection method and technical analysis
On 2026-05-22, Bishop Fox published technical analysis of CVE-2026-0265, describing it as a JWT signature bypass tied to algorithm confusion in pan_auth_verify that can affect GlobalProtect portals and PAN-OS management interfaces when CAS is enabled. The firm also released a detection method and script that use an anonymous GlobalProtect prelogin request to identify CAS exposure and determine whether a target is running a vulnerable version.
JPCERT/CC warns Japan-based organizations about CVE-2026-0265
On 2026-05-22, JPCERT/CC published advisory JPCERT-AT-2026-0015 warning that PAN-OS systems with Cloud Authentication Service enabled could be remotely compromised via authentication bypass. The advisory cited public technical analysis showing GlobalProtect VPN access could be obtained, warned exploit code may emerge and attacks could spread in Japan, and urged immediate patching or vendor mitigations.
HacktronAI reports successful exploitation of CVE-2026-0265
By 2026-05-14, researcher Harsh Jaiswal of HacktronAI said the firm had successfully exploited CVE-2026-0265 against multiple corporations' GlobalProtect portals to obtain VPN access. Palo Alto had not confirmed in-the-wild exploitation at that time, and HacktronAI said fuller technical details would be released during the week of 2026-05-18.
Canadian Centre for Cyber Security urges immediate mitigation
On 2026-05-13, the Canadian Centre for Cyber Security published advisory AV26-462 summarizing the Palo Alto Networks disclosures and urging administrators to review the vendor advisories, apply mitigations, and install updates. The notice highlighted the authentication bypass, DNS-related remote code execution risk, and IKEv2 processing flaw.
Palo Alto Networks releases patches for many affected PAN-OS versions
Alongside the advisories on 2026-05-13, Palo Alto Networks issued fixes for many impacted PAN-OS version streams, including affected 12.1, 11.2, 11.1, and 10.2 releases. Additional fixes for some remaining affected versions were scheduled for release on 2026-05-28.
Palo Alto Networks discloses CVE-2026-0265 and related PAN-OS flaws
On 2026-05-13, Palo Alto Networks published security advisories for multiple PAN-OS branches, including CVE-2026-0265, an authentication bypass affecting deployments using Cloud Authentication Service (CAS). The advisories also covered other serious issues, including a heap-based buffer overflow in DNS components and an IKEv2 remote code execution flaw.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Palo Alto Networks製PAN-OSにおける認証回避の脆弱性(CVE-2026-0265)に関する注意喚起
jpcert.or.jp
Open sourceDetecting CVE-2026-0265 at Scale: PAN-OS CAS… | Bishop Fox
bishopfox.com
Open sourceGitHub - BishopFox/CVE-2026-0265-check: Safely detect whether a PAN-OS target is vulnerable to CVE-2026-0265. · GitHub
github.com
Open sourceWARNING: Multiple Vulnerabilities in Palo Alto Networks PAN-OS Can Be Exploited to Bypass Authentication Controls, Execute Arbitrary Code, or Cause a Denial of Service. Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceCVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
rapid7.com
Open sourcePalo Alto Networks security advisory (AV26-462) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Palo Alto PAN-OS Flaws Enable Root Command Execution, Privilege Escalation, and DoS
Palo Alto Networks disclosed and patched multiple vulnerabilities in **PAN-OS** affecting **PA-Series**, **VM-Series**, and **Panorama**, including `CVE-2026-0273`, an authenticated administrator command injection flaw in the **CLI** and **web management interface** that can allow arbitrary commands to run as **root**. The vendor also fixed `CVE-2026-0272`, an authenticated **CLI privilege escalation** issue, and `CVE-2026-0266`, a **stored XSS** vulnerability in the web interface. A separate issue, `CVE-2026-0269`, can trigger a **denial of service** through crafted tunnel traffic and repeatedly reboot affected firewalls, potentially forcing them into maintenance mode. Affected versions span supported **PAN-OS 12.1, 11.2, 11.1, and 10.2** release trains, while **Cloud NGFW** and **Prisma Access** were reported as unaffected. Palo Alto Networks said it was not aware of active exploitation at disclosure time and urged customers to upgrade promptly, restrict management access to trusted internal IPs, limit CLI exposure, and use hardened jump boxes; for `CVE-2026-0273`, organizations with **Threat Prevention** can also enable dedicated **Threat IDs** to help block exploit attempts when management traffic is inspectable and decrypted.
Jun 12, 2026Critical PAN-OS Captive Portal Flaw Let Attackers Gain Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` out-of-bounds write in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, that allows an unauthenticated attacker to achieve remote code execution as **root** on affected **PA-Series** and **VM-Series** firewalls. The flaw was reported as actively exploited in the wild and added to CISA's **Known Exploited Vulnerabilities** catalog, with exploitation observed against portals reachable from untrusted networks or the public internet. Palo Alto said **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected, while vulnerable PAN-OS branches included 10.2, 11.1, 11.2, and 12.1 below fixed releases. Reporting on observed intrusions said attackers used the firewall access for shellcode injection into `nginx` worker processes, credential extraction, Active Directory enumeration, outbound tunneling with tools such as **EarthWorm** and **ReverseSocks5**, internal pivoting, and anti-forensic log cleanup. Palo Alto began releasing patches in staged waves and urged defenders to disable the Captive Portal if unused or restrict it to trusted IPs and zones, enable available threat-prevention signatures, and treat previously exposed devices as potentially fully compromised by auditing configurations, checking admin accounts and SSH keys, rotating credentials, and monitoring for persistence or suspicious outbound connections.
May 25, 2026
Palo Alto PAN-OS Vulnerabilities Including ADNS DoS (CVE-2026-0229)
Palo Alto Networks published fixes for multiple **PAN-OS** vulnerabilities affecting supported releases (including PAN-OS 12.1, 11.2, 11.1, and 10.2) and related services such as *Prisma Access* and *Prisma Browser*. The Canadian Centre for Cyber Security amplified the vendor guidance, pointing organizations to apply updates and mitigations for PAN-OS and Prisma products, including **CVE-2026-0228** and **CVE-2026-0229**, and a separate Chromium monthly update advisory referenced by Palo Alto. **CVE-2026-0229** is a network-reachable denial-of-service condition in PAN-OS’s **Advanced DNS Security (ADNS)** feature that can allow an unauthenticated attacker to trigger system reboots with a maliciously crafted packet; repeated triggering can push a firewall into maintenance mode, creating a high availability impact. Exposure requires ADNS to be enabled and a spyware profile action set to `block`, `sinkhole`, or `alert` (i.e., not `allow`); Palo Alto stated *Cloud NGFW* and *Prisma Access* are not impacted by this specific issue and reported no known exploitation. **CVE-2026-0228** involves improper certificate validation that can allow Windows Terminal Server Agents to connect using expired certificates under certain configurations, with no workaround noted by the vendor; affected organizations are advised to upgrade to fixed PAN-OS versions per Palo Alto’s guidance.
Mar 21, 2026