Palo Alto GlobalProtect VPN Under Active Attack: CVE-2026-0257 Auth Bypass Lets Hackers In [Patch Now]

Byastradef.ai
SHARE POST:

Analyzing the security implications of Palo Alto GlobalProtect VPN reveals critical mitigation priorities in 2026. Palo Alto Networks has confirmed that CVE-2026-0257, a critical authentication bypass vulnerability in GlobalProtect VPN, is under active exploitation in the wild. With a CVSS score of 7.8 and attack complexity rated as low, this flaw allows unauthenticated attackers to establish unauthorized VPN connections to corporate networks — no credentials, no user interaction, no special access required.

Table of Contents

Palo Alto GlobalProtect VPN security vulnerability mitigation 2026

What Is CVE-2026-0257?: Understanding Palo Alto GlobalProtect VPN

CVE-2026-0257 is a high-severity authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks’ PAN-OS software. Published on May 13, 2026 and updated May 29, the vulnerability was discovered internally by Palo Alto Networks’ security research teams before being confirmed as actively exploited.

The vulnerability is classified under CWE-565: Reliance on Cookies without Validation and Integrity Checking, mapped to CAPEC-114 Authentication Abuse. The authentication mechanism trusts cookies that can be forged or manipulated by an attacker without proper integrity verification.

Key Vulnerability Metrics

CVSS Score7.8 (HIGH)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Exploit StatusActively Exploited (ATTACKED)
WeaknessCWE-565

The CVSS vector reveals something critical: while direct confidentiality impact is rated “Low,” the Subsequent Confidentiality and Subsequent Integrity impacts are both rated “HIGH.” The initial bypass is just the entry point — once an attacker establishes an unauthorized VPN connection, they can pivot to access sensitive internal systems with devastating effect.

How the GlobalProtect Authentication Bypass Works

The vulnerability exploits a fundamental flaw in how GlobalProtect handles authentication override cookies. When a user successfully authenticates, the system generates a cookie allowing re-authentication bypass for a configured period. CVE-2026-0257 allows an attacker to forge these cookies without valid credentials.

The attack chain:

  1. Attacker identifies an internet-facing GlobalProtect portal/gateway running a vulnerable PAN-OS version with authentication override cookies enabled.
  2. Attacker crafts a malicious authentication override cookie exploiting the CWE-565 weakness.
  3. The forged cookie is presented to the GlobalProtect portal/gateway.
  4. The system accepts the cookie and establishes a VPN tunnel without requiring credentials.
  5. Attacker now has network-level access to internal resources.

Affected Versions and Products

ProductAffected VersionsFixed In
PAN-OS 12.1< 12.1.4-h6, < 12.1.7≥ 12.1.4-h6 or ≥ 12.1.7
PAN-OS 11.2< 11.2.4-h17 through < 11.2.12Various hotfixes or ≥ 11.2.12
PAN-OS 11.1< 11.1.4-h33 through < 11.1.15Various hotfixes or ≥ 11.1.15
PAN-OS 10.2< 10.2.7-h34 through < 10.2.18-h6Various hotfixes or ≥ 10.2.18-h6
Prisma Access 11.2< 11.2.7-h13≥ 11.2.7-h13
Prisma Access 10.2< 10.2.10-h36≥ 10.2.10-h36
Cloud NGFWNot affectedNo action needed
PanoramaNot affectedNo action needed

How to Check If You’re Vulnerable

Step 1: Check Your PAN-OS Version

Navigate to Device > Software in your PAN-OS management interface and verify whether your version falls within the affected ranges.

For GlobalProtect Portal: Navigate to Network > GlobalProtect > Portals > Agent > Agent Configuration > Authentication tab. Check whether “Generate cookie for authentication override” or “Accept cookie for authentication override” is checked.

For GlobalProtect Gateway: Navigate to Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override tab. Check whether “Accept cookie for authentication override” is checked.

If both conditions are met (vulnerable version + cookies enabled), your organization is at immediate risk.

Emergency Mitigation Steps

Option 1: Use a Dedicated Certificate

Configure a dedicated certificate exclusively for authentication override cookies. Do not reuse the portal/gateway certificate or share it with other features.

Option 2: Disable Authentication Override Entirely

Uncheck “Generate cookie for authentication override” in Portal configuration and “Accept cookie for authentication override” in both Portal and Gateway configurations. This forces all users to re-authenticate on every connection.

How to Patch Palo Alto GlobalProtect

  1. Download the fixed version from the Palo Alto Networks Support Portal under Software Updates.
  2. Back up your configuration: Device > Setup > Operations > Export named configuration snapshot.
  3. Install the update via Device > Software and click Install on the target version.
  4. Reboot the firewall when prompted.

Post-Upgrade Considerations

Critical: After applying the fix, the firewall regenerates authentication override cookies using a more secure method. All GlobalProtect users will need to re-authenticate after the upgrade, even with a valid cookie. This is a one-time requirement — normal cookie behavior resumes afterward. Communicate this to users in advance to prevent help desk overload.

The Bigger Picture: VPN Security in 2026

CVE-2026-0257 joins a growing list of VPN vulnerabilities exploited in the wild in 2026. VPN appliances remain one of the most targeted attack surfaces because they sit at the network perimeter:

  • Ivanti Connect Secure vulnerabilities were mass-exploited in 2024-2025
  • Fortinet FortiClient EMS (CVE-2026-35616) is currently being exploited to spread infostealers
  • Cisco ASA and SonicWall have faced repeated zero-day campaigns

Organizations should consider supplementing traditional VPN with Zero Trust Network Access (ZTNA) solutions that enforce continuous verification rather than relying on a single authentication event and a cookie.

Frequently Asked Questions

Is CVE-2026-0257 being actively exploited?

Yes. Palo Alto Networks has confirmed “limited exploit attempts on unpatched PAN-OS devices without mitigations applied.” The exploit maturity is classified as ATTACKED.

Are Panorama and Cloud NGFW affected?

No. Neither Panorama nor Cloud NGFW are impacted. Only GlobalProtect portal and gateway functionality in PAN-OS is affected.

Can I detect if I’ve already been exploited?

Review GlobalProtect authentication logs for unusual VPN connections from unexpected IP addresses or at unusual times. Look for successful authentication events that don’t correlate with expected user activity.

What if I can’t upgrade immediately?

Apply Option 2 mitigation: disable authentication override cookies entirely in both Portal and Gateway configurations. This eliminates the attack vector without requiring a firmware upgrade.

Will disabling authentication override break VPN connections?

Users will need to re-enter credentials on every connection instead of being automatically re-authenticated via cookie. This increases friction but does not break functionality.

Critical Takeaway on Palo Alto GlobalProtect VPN

When analyzing the security impact of Palo Alto GlobalProtect VPN in 2026, organizations must prioritize proactive mitigation. Implementing the recommended controls for Palo Alto GlobalProtect VPN protects your systems and reduces compliance exposure. To ensure your team is prepared for Palo Alto GlobalProtect VPN, conduct regular security audits and vishing simulations. Mitigating Palo Alto GlobalProtect VPN risks prevents unauthorized access, safeguards customer trust, and secures cloud CRM platforms. A comprehensive strategy for Palo Alto GlobalProtect VPN includes least privilege policies, phishing-resistant MFA, and active logging. Secure your deployments against Palo Alto GlobalProtect VPN vectors today.

Related Security Resources:

SHARE POST:

    Similar Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *