What is CVE-2026-0257 in PAN-OS?

CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS that allows unauthenticated access to firewall management interfaces. It is distinct from CVE-2026-0263 and CVE-2026-0264 disclosed the prior week. Active exploitation was confirmed four days after public disclosure.

Is the Microsoft MFA outage affecting existing users?

The outage impacts new MFA enrollments and the My Sign-Ins self-service portal. Existing users with already-enrolled MFA factors can still authenticate. Organizations onboarding new users or completing zero-trust rollouts are most affected.

What is the CIFSwitch Linux kernel vulnerability?

CIFSwitch is a local privilege escalation flaw in the Linux kernel CIFS subsystem that has been present since 2007. A public proof-of-concept now allows any low-privileged local user to escalate to root. It affects enterprise servers, container hosts, cloud VMs, and Linux-based network appliances.

How should defenders prioritize patching CVE-2026-0257?

CVE-2026-0257 should be treated as an emergency patch. Restrict PAN-OS management interfaces to out-of-band networks immediately. Any internet-facing management plane is actively targeted. Do not wait for a scheduled maintenance window.

What is the codexui-android npm supply chain attack?

A malicious npm package named codexui-android, with approximately 29,000 weekly downloads, masquerades as a legitimate OpenAI Codex UI library and exfiltrates Codex authentication tokens. The package was still live on the npm registry at time of publication.

PAN-OS Auth Bypass CVE-2026-0257 Exploited in the Wild

Four days. That is the window between public disclosure and confirmed exploitation for CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS. Today’s brief covers three stories that converge on a single operational reality: perimeter devices, identity platforms, and kernel-level infrastructure are all under pressure at the same time, and the organizations that survive weeks like this are the ones with patching discipline and fallback plans that actually work.

In the News

PAN-OS Authentication Bypass CVE-2026-0257 Exploited in the Wild

Palo Alto Networks disclosed CVE-2026-0257 — an authentication bypass affecting PAN-OS firewall management interfaces — and exploitation followed within four days. This is a separate vulnerability from the PAN-OS DNS parsing flaw (CVE-2026-0263) and IKEv2 buffer overflow (CVE-2026-0264) disclosed the previous week. The authentication bypass allows unauthenticated remote access to the management plane, meaning an attacker does not need credentials, an exploit chain, or any prior foothold — just network reachability to the management interface.

The operational consequence is straightforward: any PAN-OS device with a management interface reachable from untrusted networks is an immediate target. Threat actors are scanning for exposed management interfaces and exploiting CVE-2026-0257 to gain administrative control. From there, the attacker owns the firewall — policy modification, VPN credential extraction, and traffic interception are all on the table.

This is the third PAN-OS advisory in two weeks. Organizations running PAN-OS need to confirm they have patched all three CVEs (0257, 0263, 0264) and verify that management interfaces are restricted to out-of-band access only. If your management plane is internet-facing, assume it has been probed. Review access logs for authentication anomalies dating back to at least the disclosure date.

What defenders should do: Patch CVE-2026-0257 immediately. Restrict management interface access to dedicated out-of-band management networks. Audit firewall management access logs for unauthenticated sessions since disclosure. Confirm CVE-2026-0263 and CVE-2026-0264 patches are also applied.

Microsoft MFA Enrollment and My Sign-Ins Platform Outage

Microsoft confirmed an ongoing outage affecting its MFA enrollment infrastructure and the My Sign-Ins self-service portal. The outage blocks new MFA factor registrations and credential recovery workflows. Existing users with previously enrolled factors can still complete MFA prompts, but any organization in the middle of onboarding new users, rolling out phishing-resistant MFA, or completing a zero-trust architecture deployment that depends on Entra ID is effectively stalled.

The broader lesson is about identity provider resilience. A single-provider dependency for authentication enrollment creates a single point of failure. This is not a security vulnerability — it is an availability failure — but the operational impact on security posture is real. Organizations that cannot enroll new users into MFA are forced to either delay onboarding or create temporary exceptions, both of which introduce risk.

What defenders should do: Monitor the Microsoft 365 Service Health dashboard for resolution. If you are mid-rollout on MFA enrollment, document which users are blocked and prioritize their enrollment once the platform recovers. Evaluate whether your enrollment workflow has a fallback path that does not depend on a single identity provider’s availability.

19-Year-Old Linux Kernel Privilege Escalation — PoC Now Public

A privilege escalation vulnerability in the Linux kernel’s CIFS (Common Internet File System) subsystem has been present since 2007 and now has a public proof-of-concept exploit. Dubbed “CIFSwitch” by the researcher, the flaw allows any low-privileged local user to escalate to root. The attack surface is enormous: enterprise Linux servers, container hosts (where kernel exploits escape container boundaries), cloud VMs, and the Linux-based operating systems running on most network appliances.

This is a local privilege escalation, not a remote code execution — an attacker needs an existing low-privilege foothold first. But that is precisely the post-compromise scenario that defense-in-depth is supposed to address. A compromised web application, a stolen SSH key, or a container breakout all provide the initial foothold. CIFSwitch converts that foothold into full root access.

The 19-year dormancy period is a reminder that kernel attack surface accumulates silently. Organizations that assume their Linux hosts are hardened because they passed a CIS benchmark scan last quarter are operating on an assumption, not a defense. Kernel patching cadence — especially on container hosts and appliances where OS updates are often deferred — is the primary control here.

What defenders should do: Prioritize kernel patching across all Linux assets. Pay special attention to container hosts and network appliances where kernel updates are frequently deferred. Deploy EDR agents on Linux workloads that monitor for privilege escalation syscall patterns. Review whether the CIFS kernel module is loaded on systems that do not need it — unloading unused kernel modules reduces attack surface.

Defender Action Items

Patch CVE-2026-0257 on all PAN-OS devices immediately. Confirm CVE-2026-0263 and CVE-2026-0264 are also applied. Restrict management interfaces to out-of-band networks.
Audit MFA enrollment status for any users onboarded during the Microsoft outage window. Ensure no temporary authentication exceptions remain in place after the platform recovers.
Prioritize Linux kernel patching across servers, container hosts, and Linux-based appliances. Unload the CIFS kernel module on systems that do not require it.
Scan internal npm registries for the malicious codexui-android package. Review developer workstations for exfiltrated OpenAI Codex tokens if the package was installed.

Detection Queries

The following Splunk SPL query identifies unauthenticated or anomalous access attempts to PAN-OS management interfaces — useful for hunting exploitation of CVE-2026-0257 in environments forwarding PAN-OS system logs to Splunk:

index=pan_logs sourcetype="pan:system" log_subtype="auth"
| search result="failure" OR user="unknown" OR user=""
| stats count by src_ip, dest_ip, action, result
| where count > 5
| sort -count
| table src_ip, dest_ip, action, result, count

This query surfaces repeated authentication failures and anonymous access attempts against PAN-OS management endpoints. Tune the threshold (count > 5) to your environment’s baseline. Any src_ip originating from outside your management network is a high-fidelity indicator of unauthorized access attempts.

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.