Palo Alto Networks has confirmed that attackers are actively exploiting an authentication-bypass flaw in its GlobalProtect VPN — the remote-access tool a lot of Australian businesses rely on to let staff work from home. Tracked as CVE-2026-0257 (CVSS 7.8), the bug lets an unauthenticated attacker skip the login and stand up their own VPN connection straight into your network. As reported by The Hacker News, exploitation has been running since mid-May, and the US cyber agency CISA has added it to its Known Exploited Vulnerabilities list.

If your firewall is a Palo Alto and your team connects through GlobalProtect, this one is yours — particularly if the ‘authentication override’ cookie feature is switched on. A VPN bypass is about the worst kind of bug to ignore: it hands an outsider a foothold inside the network, past the perimeter, where your servers and file shares live. Security firm Rapid7 has already watched attackers get handed an internal VPN address in real customer environments. For any firm holding client financial details or personal records, that is the kind of incident that becomes a notifiable breach under the Privacy Act.

Patch now. Palo Alto has released fixed PAN-OS versions across every supported branch. If you genuinely cannot patch this minute, the interim fix is to disable the authentication override feature or generate a dedicated certificate just for it — then check your firewall logs for VPN sessions you cannot account for. And if you do not manage your own firewall, ring your IT provider today and ask, plainly, whether your GlobalProtect is patched. Do not assume it is.

Not sure what is actually guarding your network edge? Our cybersecurity team can confirm your firewall and VPN are patched and configured the way they should be.