CISA Flags Palo Alto Networks PAN-OS Vulnerability Exploited in Attacks
6 min. read 
Published on
CISA has added a Palo Alto Networks PAN-OS vulnerability tracked as CVE-2026-0257 to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. The flaw affects GlobalProtect portal and gateway deployments and can let an attacker bypass authentication controls to establish an unauthorized VPN connection.
The issue is documented in the Palo Alto Networks advisory, which says attackers can bypass security restrictions when vulnerable GlobalProtect configurations are in place. The company says Panorama and Cloud NGFW are not affected.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The NVD entry lists CVE-2026-0257 as a critical CVSS 3.1 issue with a 9.1 score, while Palo Alto Networks currently rates it as high severity under CVSS 4.0 with a 7.8 score. CISA added the vulnerability to KEV on May 29, 2026, with a June 1, 2026 remediation deadline for federal civilian agencies.
Why CVE-2026-0257 Matters
GlobalProtect is widely used for remote access to corporate networks. A vulnerability that allows unauthorized VPN access can give attackers a path past the network edge and into internal environments.
The risk rises when affected systems run unpatched PAN-OS versions and still use the vulnerable authentication override configuration. Palo Alto Networks says exploitation has targeted unpatched devices where mitigations were not applied.
Rapid7 said in its analysis of observed exploitation that it saw successful exploitation across multiple customers, with the earliest activity identified on May 17, 2026. The company said it did not see successful lateral movement from the devices in those cases.
Key Details About the PAN-OS Vulnerability
| Item | Details |
|---|---|
| CVE | CVE-2026-0257 |
| Vendor | Palo Alto Networks |
| Affected component | GlobalProtect portal and gateway in PAN-OS |
| Main impact | Authentication bypass and unauthorized VPN connection |
| NVD severity | Critical, CVSS 3.1 score of 9.1 |
| Palo Alto Networks severity | High, CVSS 4.0 score of 7.8 |
| Weakness type | Reliance on cookies without validation and integrity checking |
| Exploit status | Attacked, according to the vendor advisory |
| Federal deadline | June 1, 2026, according to the CISA KEV entry |
Which PAN-OS Versions Are Affected
The vulnerability affects several PAN-OS branches, including 10.2, 11.1, 11.2, and 12.1, depending on the exact release. Prisma Access 10.2 and 11.2 deployments running vulnerable releases can also be affected.
The vendor advisory lists fixed versions across all affected branches. Administrators should check their exact release and upgrade path rather than assume that a branch-level update alone removes the risk.
The issue also depends on configuration. Palo Alto Networks says exposure requires GlobalProtect portal or gateway to be configured with authentication override cookies enabled and a specific certificate configuration present.
What Attackers Can Do After Exploitation
Successful exploitation can allow an unauthenticated attacker to establish a VPN connection through an affected GlobalProtect gateway. That creates a serious risk because the attacker may appear as a connected remote user.
Rapid7 observed suspicious cookie authentication activity and later saw VPN IP assignment in a second wave of activity. Its research report linked the activity to GlobalProtect authentication override cookie behavior.
Security teams should not assume exploitation always leads to immediate lateral movement. However, unauthorized VPN access can still support credential attacks, internal reconnaissance, data access, and follow-on compromise if other defenses fail.
How Organizations Should Respond
Organizations using Palo Alto Networks firewalls should first identify all GlobalProtect portal and gateway deployments. They should then confirm the PAN-OS version, check whether authentication override cookies are enabled, and review whether the required certificate configuration exists.
- Upgrade affected PAN-OS releases to the fixed versions listed by Palo Alto Networks.
- Upgrade Prisma Access deployments according to the vendor’s upgrade schedule.
- Disable GlobalProtect authentication override cookies if the feature is not required.
- Use a dedicated certificate for authentication override cookies if the feature remains enabled.
- Review GlobalProtect authentication logs for unexpected cookie-based logins.
- Investigate VPN sessions from unfamiliar IP addresses, hosting providers, or impossible travel patterns.
- Require users to re-authenticate after the update where authentication override cookies are in use.
The CISA KEV catalog lists the required action as applying vendor mitigations, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.
Why Edge Device Vulnerabilities Remain High Risk
Attackers frequently target VPN gateways, firewalls, and other edge devices because these systems sit between the public internet and internal networks. A single authentication bypass can reduce the value of several other perimeter controls.
These systems also generate valuable sessions, cookies, and access logs. If attackers abuse trusted authentication flows, defenders may need to look beyond simple failed login counts and inspect how sessions were created.
CVE-2026-0257 highlights why organizations need both patch discipline and configuration reviews. A patched device may close the vulnerability, but teams should still review GlobalProtect settings to reduce exposure to similar authentication weaknesses in the future.
What Security Teams Should Hunt For
Security teams should review GlobalProtect logs around May 17, 2026 and later, especially if their devices matched the vulnerable configuration before patching. The first priority should be suspicious cookie-based authentication events.
- Successful VPN logins using local or administrative accounts that should not use VPN.
- Cookie authentication from unusual cloud hosting or proxy infrastructure.
- VPN IP assignments that do not match known user behavior.
- Unexpected logins from Linux clients, unfamiliar devices, or generic client identifiers.
- New internal access attempts shortly after suspicious VPN sessions.
- Repeated access from the same source across multiple environments.
Teams should preserve relevant logs before making major changes if they suspect compromise. They should also rotate credentials for accounts involved in suspicious sessions and review internal systems accessed after any unauthorized VPN connection.
FAQ
CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. It can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection when affected configurations are in place.
Yes. Palo Alto Networks says limited exploit attempts have targeted unpatched PAN-OS devices without mitigations applied. CISA also added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29, 2026.
The vulnerability affects certain PAN-OS 10.2, 11.1, 11.2, and 12.1 releases when GlobalProtect portal or gateway is configured with authentication override cookies and the required certificate configuration. Some Prisma Access 10.2 and 11.2 deployments can also be affected. Panorama and Cloud NGFW are not impacted.
Organizations should upgrade to the fixed PAN-OS versions listed by Palo Alto Networks. As mitigations, they can disable GlobalProtect authentication override cookies or use a dedicated certificate for those cookies if the feature must remain enabled.
Security teams should review GlobalProtect authentication logs for suspicious cookie-based logins, unusual VPN sessions, connections from unfamiliar IP ranges, and internal access attempts that followed unexpected VPN activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages