National CERT Pakistan has issued a cybersecurity advisory warning organizations about the active exploitation of a critical vulnerability in Palo Alto Networks GlobalProtect VPN solution. The flaw, tracked as CVE-2026-0257, affects the GlobalProtect portal and gateway components running on PAN-OS software and may allow unauthenticated attackers to bypass security controls and establish unauthorized VPN sessions.

According to the advisory, the vulnerability is already being exploited in real-world attacks and has been listed in the Known Exploited Vulnerabilities (KEV) catalog, increasing the urgency for immediate remediation.

The advisory states that successful exploitation could give attackers an initial foothold inside enterprise and critical infrastructure networks. National CERT warned that government institutions, financial organizations, telecom operators, and private enterprises using GlobalProtect are at elevated risk. The flaw is particularly dangerous because it requires no user interaction or authentication, making exposed systems vulnerable to silent compromise.

Cybersecurity officials highlighted multiple potential impacts of a successful attack, including unauthorized network access, lateral movement within internal systems, data theft, credential theft, and long-term persistent access to compromised environments. The advisory further noted that attacks targeting VPN infrastructure could also trigger operational disruptions and pose cascading risks across interconnected government and enterprise systems.

National CERT has urged all organizations to immediately upgrade affected PAN-OS deployments to vendor-patched versions and apply all recommended mitigations. These include enforcing multi-factor authentication (MFA), restricting GlobalProtect access to trusted IP ranges, enabling enhanced VPN logging, and actively monitoring active sessions for suspicious behavior.

Organizations have also been advised to conduct threat hunting for indicators of compromise, including unusual IP activity, abnormal login patterns, and VPN sessions that lack corresponding authentication records.

The advisory further recommends strengthening incident response capabilities by correlating VPN, firewall, and authentication logs, isolating potentially compromised systems, and rotating credentials where necessary. National CERT emphasized that any suspected exploitation or anomalous VPN activity should be reported immediately through official incident response channels, stressing that rapid patching and continuous monitoring are critical to preventing unauthorized access to sensitive networks.