Palo Alto GlobalProtect Vulnerability (CVE-2026-0257) Under Active Attack, CISA Issues Directive

CISA Warns of Active Exploitation of Palo Alto GlobalProtect Auth Bypass Flaw (CVE-2026-0257)

CRITICAL
June 1, 2026
June 6, 2026
m read
VulnerabilityCyberattackPatch Management

Related Entities(initial)

Organizations

CISACyber Security Agency of SingaporePalo Alto Networks

Products & Tech

GlobalProtectPAN-OSPrisma Access

Other

Rapid7

CVE Identifiers

CVE-2026-0257
MEDIUM
CVSS:7.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1133Initial Access

External Remote Services

T1190Initial Access

Exploit Public-Facing Application

T1556.006Credential Access

Replay-by-Cookie

T1659Defense Evasion

Bypass Caching

Full Report(when first published)

Executive Summary

An authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks PAN-OS software is being actively exploited. Affecting the GlobalProtect portal and gateway features, the flaw allows a remote, unauthenticated attacker to forge a valid authentication cookie and gain unauthorized VPN access. While the vulnerability is configuration-dependent and rated as medium severity (CVSS 7.8), its active exploitation has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. Organizations using the affected products are urged to apply patches or mitigations immediately to prevent compromise of their network perimeter.

Vulnerability Details

CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect feature in PAN-OS and Prisma Access. The core issue lies in the improper handling of authentication override cookies under a specific, non-default configuration.

  • Attack Vector: An unauthenticated, remote attacker can send a crafted request to a vulnerable GlobalProtect interface.
  • Prerequisites: Successful exploitation requires a specific misconfiguration:
    1. The 'authentication override' feature is enabled on the gateway or portal.
    2. A certificate used for another purpose (e.g., the portal's main HTTPS TLS certificate) is reused for encrypting the authentication override cookies.
  • Mechanism: When this misconfiguration is present, an attacker can access the public key of the certificate. By knowing the public key, the attacker can forge a cryptographically valid authentication cookie, present it to the GlobalProtect interface, and bypass all other authentication checks, establishing a VPN session as if they were a legitimate user.

Affected Systems

  • Product: Palo Alto Networks PAN-OS
  • Feature: GlobalProtect portal and gateway
  • Versions: Various versions of PAN-OS are affected. Customers should refer to the Palo Alto Networks security advisory for a complete list.
  • Product: Prisma Access

Exploitation Status

The vulnerability is under active, albeit limited, exploitation. Palo Alto Networks confirmed observing exploit attempts against unpatched devices. Security firm Rapid7 reported two distinct waves of exploitation on May 17 and May 21, 2026, likely from a single threat actor. While Rapid7 confirmed successful exploitation via forged cookies, they did not observe any post-exploitation lateral movement.

On May 29, 2026, CISA added CVE-2026-0257 to its KEV catalog, a strong indicator of credible, widespread risk. Federal agencies were directed to patch by June 1, 2026.

Despite the medium CVSS score, an authentication bypass on a perimeter security appliance like a VPN gateway should be treated as a critical risk. It provides a direct entry point into the corporate network for an unauthenticated attacker.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
URL Pattern
Value
/global-protect/login.esp
Description
Monitor web logs for anomalous requests or a high volume of failed attempts followed by a successful connection from the same IP to the GlobalProtect login page.
Type
Log Source
Value
PAN-OS System Logs
Description
Look for logs indicating successful VPN connections from unknown or suspicious IP addresses without corresponding authentication logs (e.g., RADIUS, LDAP).
Type
Network Traffic Pattern
Value
VPN traffic from unexpected sources
Description
Analyze VPN connection metadata for sessions originating from unusual countries or IP ranges not associated with your user base.
Type
Configuration Check
Value
authentication-override
Description
Proactively scan PAN-OS configurations to identify devices where authentication-override is enabled and check if the associated certificate is reused elsewhere.

Detection Methods

  • Log Analysis: Correlate web server access logs for the GlobalProtect portal with VPN authentication logs. A successful VPN connection without a preceding successful authentication event (or with a cookie-based auth log) from a suspicious source IP is a strong indicator of compromise. This is an application of D3FEND's Network Traffic Analysis (D3-NTA).
  • Vulnerability Scanning: Use vulnerability scanners with updated plugins for CVE-2026-0257 to identify affected and misconfigured instances on your network perimeter.
  • Configuration Auditing: Regularly audit PAN-OS configurations to ensure that dedicated, unique certificates are used for sensitive functions like authentication cookie encryption. This aligns with D3FEND's Application Configuration Hardening (D3-ACH).

Remediation Steps

Palo Alto Networks has provided several options for remediation. Organizations should prioritize these actions:

  1. Patch (Primary Solution): Upgrade to a patched version of PAN-OS immediately. This is the most effective solution. This is a direct application of D3FEND's Software Update (D3-SU).
  2. Mitigation (If Patching is Delayed):
    • Disable Authentication Override: If the feature is not essential, disable authentication-override to eliminate the attack vector.
    • Use a Dedicated Certificate: If the feature is required, generate a new, unique certificate that is used exclusively for the authentication override cookie encryption and for no other purpose. This breaks the prerequisite for the attack.

Given the KEV status, patching should be considered urgent and performed within emergency change control windows.

Timeline of Events

1
May 13, 2026
Palo Alto Networks first discloses CVE-2026-0257.
2
May 17, 2026
First wave of exploitation observed by Rapid7.
3
May 21, 2026
Second wave of exploitation observed by Rapid7.
4
May 29, 2026
CISA adds CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog.
5
June 1, 2026
This article was published

Article Updates

June 2, 2026

Severity increased

Severity of CVE-2026-0257 escalated to critical due to active exploitation. New MITRE ATT&CK techniques and enhanced detection methods provided.

The severity of CVE-2026-0257, affecting Palo Alto GlobalProtect, has been officially escalated from medium to critical due to ongoing active exploitation. This update includes new technical details, specifically mapping the observed exploitation to MITRE ATT&CK techniques such as 'Exploit Public-Facing Application' (T1190), 'External Remote Services' (T1133), and 'Valid Accounts' (T1078). Enhanced detection methods and hunting hints, incorporating D3FEND references like Authentication Event Thresholding and Network Traffic Analysis, are now provided to assist organizations in identifying vulnerable systems and detecting compromise. The CISA KEV status and June 1 deadline for federal agencies are reiterated, with a strong recommendation for all organizations to apply patches or mitigations immediately.

Update Sources:
csoonline.comAttackers exploit Palo Alto GlobalProtect flaw days after disclosure
helpnetsecurity.comHackers are exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)
rapid7.comETR: Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

June 6, 2026

Severity increased

Palo Alto Networks' Unit 42 confirms active exploitation of CVE-2026-0257, emphasizing its critical impact and the release of a public PoC exploit.

Palo Alto Networks' Unit 42 has officially confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability in PAN-OS GlobalProtect. The new report highlights the increased threat level due to the public release of a Proof-of-Concept (PoC) exploit, which significantly raises the risk of widespread attacks. Unit 42 reiterates the critical impact of the flaw, even without observed lateral movement, as it provides an initial foothold for attackers. The update also provides enhanced guidance for detection, response, and threat hunting, including monitoring for suspicious host IDs and device names, and leveraging Cortex Xpanse for asset identification.

Timeline of Events

1
May 13, 2026

Palo Alto Networks first discloses CVE-2026-0257.

2
May 17, 2026

First wave of exploitation observed by Rapid7.

3
May 21, 2026

Second wave of exploitation observed by Rapid7.

4
May 29, 2026

CISA adds CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog.

Sources & References(when first published)

Hackers are exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)
helpnetsecurity.comJune 1, 2026
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit
darkreading.comJune 1, 2026
Critical Vulnerability in Palo Alto Networks Products
csa.gov.sgMay 31, 2026
Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
rapid7.comMay 31, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Authentication BypassCISACVE-2026-0257GlobalProtectKEVPalo Alto NetworksVPN

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.