CVE-2026-0265: PAN-OS Authentication Bypass via Cloud Authentication Service Signature Verification Flaw

Indicators

• Unauthenticated remote access to management interfaces where CAS is configured
• Unauthorized VPN sessions established via GlobalProtect portals without valid credentials
• Authentication bypass events on login interfaces configured with CAS-backed authentication profiles
• Unexpected or anomalous logins on internet-facing PAN-OS login portals (management UI, GlobalProtect gateway/portal)
• Successful authentication events in logs without corresponding valid credential presentation

Likely causes

• Signature verification flaw in PAN-OS: improper validation of signatures in the Cloud Authentication Service (CAS) flow allows attackers to bypass authentication checks
• CAS enabled and attached to a login interface (non-default but common configuration) — without CAS attached to a login interface, the attack vector is not present
• Internet-facing login interfaces (management plane or GlobalProtect portal/gateway) increase exposure to unauthenticated remote attackers

Diagnostic steps

1. Check the running PAN-OS version on each firewall or Panorama appliance via CLI: `show system info | match version` — or via management UI: Dashboard > General Information
   Determine whether the device is running a vulnerable PAN-OS version as listed in the advisory
2. Verify CAS configuration: Navigate to Device > Authentication Profile and check for CAS-backed profiles assigned to login interfaces. Follow official Palo Alto Networks advisory instructions for detailed verification steps.
   Confirm whether the vulnerable configuration (CAS enabled on a login interface) is present — if CAS is not attached to a login interface, the device is not exploitable via this CVE
3. Identify all internet-facing login interfaces: enumerate management interfaces, GlobalProtect portals, and GlobalProtect gateways that have CAS-backed authentication profiles attached. Assess network exposure of each.
   Prioritize highest-risk interfaces — unrestricted internet-facing management interfaces with CAS are highest risk; GlobalProtect portals with CAS are also exploitable per researcher findings
4. Cross-reference running PAN-OS version against fixed version table: PAN-OS 12.1 >= 12.1.7 (ETA 05/28); PAN-OS 11.2 >= 11.2.7-h13, >= 11.2.10-h6, >= 11.2.12 (ETA 05/28); PAN-OS 11.1 >= 11.1.6-h32, >= 11.1.10-h25, >= 11.1.13-h5; PAN-OS 10.2 >= 10.2.10-h36, >= 10.2.18-h6
   Determine which devices require immediate patching versus which must wait for patches expected May 28, 2026
5. Review authentication and access logs on affected appliances for anomalous or unauthenticated login events on CAS-enabled interfaces, particularly management interfaces and GlobalProtect portals.
   Determine whether exploitation may have already occurred prior to patching — identify potential indicators of compromise
6. Scan environment using Rapid7 Exposure Command, InsightVM, or Nexpose for CVE-2026-0265 exposure.
   Obtain automated inventory of vulnerable PAN-OS assets for prioritization and tracking remediation progress

Resolution path

• IMMEDIATE — For all PA-Series, VM-Series, and Panorama appliances with CAS enabled on a login interface: upgrade PAN-OS to a fixed version on an emergency basis
• PAN-OS 12.1: Upgrade to >= 12.1.7 (ETA 05/28/2026) — apply network-level mitigations if patch not yet available
• PAN-OS 11.2: Upgrade to >= 11.2.7-h13 OR >= 11.2.10-h6 (available 05/13) OR >= 11.2.12 (ETA 05/28)
• PAN-OS 11.1: Upgrade to >= 11.1.6-h32 OR >= 11.1.10-h25 OR >= 11.1.13-h5 (available 05/13) OR >= 11.1.7-h6 or >= 11.1.15 (ETA 05/28)
• PAN-OS 10.2: Upgrade to >= 10.2.10-h36 OR >= 10.2.18-h6 (available 05/13) OR >= 10.2.13-h21, >= 10.2.16-h7, or >= 10.2.7-h34 (ETA 05/28)
• For older unsupported PAN-OS versions: upgrade to a current supported fixed version — no hotfix available for end-of-life versions
• Do NOT rely on workarounds as primary mitigation — Rapid7 strongly advises patching over workarounds due to discrepancies between vendor and researcher severity assessments
• For version streams where patches are not yet available (ETA 05/28): restrict network access to management interfaces and CAS-enabled login portals at the network perimeter as temporary compensating control

Prevention

• Restrict network access to PAN-OS management interfaces to trusted management networks only — never expose management interfaces directly to the internet regardless of authentication method
• Audit and minimize use of Cloud Authentication Service (CAS) on login interfaces: enable CAS only where explicitly required and remove from internet-facing interfaces where not operationally necessary
• Establish rapid patch deployment process for PAN-OS: maintain tested emergency upgrade procedure for all firewall and Panorama appliances given PAN-OS is a frequent threat actor target
• Subscribe to Palo Alto Networks security advisories and Rapid7/CISA threat intelligence feeds for early warning of newly disclosed PAN-OS vulnerabilities

Tools

• Rapid7 Exposure Command (CVE-2026-0265 exposure assessment)
• Rapid7 InsightVM (CVE-2026-0265 vulnerability scanning)
• Rapid7 Nexpose (CVE-2026-0265 vulnerability scanning)
• PAN-OS management UI — Device > Software (patch installation and version management)
• PAN-OS CLI — show system info, request system software install, save config to

References

• Rapid7 ETR: CVE-2026-0265 Authentication Bypass in Palo Alto Networks PAN-OS
• Palo Alto Networks Security Advisory for CVE-2026-0265
• CISA Known Exploited Vulnerabilities (KEV) Catalog