National CERT Pakistan has issued a high-severity cybersecurity alert warning organizations about the active exploitation of a critical vulnerability affecting Palo Alto Networks’ GlobalProtect VPN platform.
The vulnerability, identified as CVE-2026-0257, impacts the GlobalProtect VPN portal and gateway components running on PAN-OS. According to the advisory, attackers can exploit the flaw to bypass authentication controls and gain unauthorized access to VPN sessions without requiring any interaction from users.
National CERT noted that the vulnerability is already being exploited in real-world attacks and has been added to the Known Exploited Vulnerabilities (KEV) catalog, confirming active malicious use.
The agency warned that the flaw poses a significant threat to organizations that rely on remote access infrastructure, including government institutions, financial organizations, telecom operators, and private-sector enterprises.
Security officials explained that successful exploitation could provide attackers with an initial foothold inside organizational networks. Once access is obtained, threat actors may move laterally across systems, steal sensitive information, harvest user credentials, and establish persistent access within affected environments.
The advisory further cautioned that compromised VPN systems could disrupt critical operations and create opportunities for additional attacks across interconnected networks.
National CERT emphasized that the vulnerability is particularly dangerous because it can be exploited remotely without authentication or user involvement, increasing the exposure of internet-facing systems.
To mitigate the risk, organizations have been urged to immediately deploy security patches released by Palo Alto Networks for affected PAN-OS versions. Additional recommendations include enabling multi-factor authentication (MFA), limiting VPN access to trusted IP addresses, and enhancing monitoring of VPN activity.
The agency also advised organizations to review active VPN sessions, investigate unusual login behavior, and search for indicators of compromise such as unfamiliar IP addresses, unauthorized connections, or suspicious authentication attempts.
Furthermore, National CERT recommended strengthening incident response efforts by correlating VPN, firewall, and authentication logs, isolating potentially compromised systems, and rotating credentials where necessary.
The advisory concluded by urging organizations to promptly report any suspected intrusion attempts or abnormal VPN activity, stressing that timely patching, continuous monitoring, and proactive security measures remain critical to preventing unauthorized access and minimizing cybersecurity risks.
