PAN-OS: Authentication Bypass with Cloud Authentication Service (CAS) enabled

Plan PatchCVSS 9.2CVE-2026-0265May 13, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

An authentication bypass vulnerability in PAN-OS and Prisma Access software allows an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled on the management interface. The vulnerability affects PAN-OS on PA-Series and VM-Series firewalls and Panorama (virtual and M-Series). Cloud NGFW is not impacted. The risk is significantly reduced if management interface access is restricted to only trusted internal IP addresses, which is industry best practice.

What this means

What could happen

An unauthenticated attacker with network access to your firewall's management interface could bypass authentication and gain full control of the device, allowing them to alter security policies, disable protections, or redirect traffic. This directly threatens your network security posture and operational continuity.

Who's at risk

Organizations running Palo Alto Networks PAN-OS on PA-Series or VM-Series firewalls, Panorama appliances, or Prisma Access with Cloud Authentication Service enabled are at risk. The risk is highest for deployments where the management interface is internet-facing or accessible from untrusted networks. Water utilities, electric utilities, and other critical infrastructure operators relying on these firewalls for network segmentation and access control are especially vulnerable.

How it could be exploited

An attacker sends a specially crafted request to the management web interface (typically port 443) when Cloud Authentication Service (CAS) is enabled. The vulnerability allows the attacker to bypass the authentication check entirely and gain administrative access without valid credentials. If the management interface is exposed to the internet or untrusted networks, exploitation is trivial.

Prerequisites

Network access to the management interface (usually HTTPS port 443)
Cloud Authentication Service (CAS) must be enabled on the management interface
Management interface must be reachable from the attacker's network location

remotely exploitableno authentication requiredaffects firewall management plane (security-critical)high CVSS score (9.2)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

PAN-OSBelow 12.1.4-h512.1.4-h5+

PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+

Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+

Prisma AccessBelow 11.2.7-h1311.2.7-h13+

Prisma AccessBelow 11.2.10-h611.2.10-h6+

Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+

Remediation & Mitigation

0/5

Do now

0/3

PAN-OS

HARDENINGIf your Threat Prevention subscription is active and PAN-OS version is 11.2 or later, enable Threat ID 510008 to detect exploitation attempts

All products

HARDENINGRestrict network access to the management interface to only trusted internal IP addresses using firewall rules or network ACLs

WORKAROUNDAs a temporary workaround, disable Cloud Authentication Service (CAS) and switch to SAML, RADIUS, or another supported authentication method

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

PAN-OS

HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (or 12.1.7 or later if using that branch)

Prisma Access

HOTFIXUpdate Prisma Access to the fixed version for your branch (11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12 depending on your current version)

CVEs (1)

CVE-2026-0265

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0bdeaa0e-59e7-492c-9d48-f007df9e98d1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.