CISA Warns of Active Exploitation of Palo Alto GlobalProtect Auth Bypass Flaw (CVE-2026-0257)

Executive Summary

An authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks PAN-OS software is being actively exploited. Affecting the GlobalProtect portal and gateway features, the flaw allows a remote, unauthenticated attacker to forge a valid authentication cookie and gain unauthorized VPN access. While the vulnerability is configuration-dependent and rated as medium severity (CVSS 7.8), its active exploitation has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. Organizations using the affected products are urged to apply patches or mitigations immediately to prevent compromise of their network perimeter.

Vulnerability Details

CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect feature in PAN-OS and Prisma Access. The core issue lies in the improper handling of authentication override cookies under a specific, non-default configuration.

Attack Vector: An unauthenticated, remote attacker can send a crafted request to a vulnerable GlobalProtect interface.
Prerequisites: Successful exploitation requires a specific misconfiguration:
1. The 'authentication override' feature is enabled on the gateway or portal.
2. A certificate used for another purpose (e.g., the portal's main HTTPS TLS certificate) is reused for encrypting the authentication override cookies.
Mechanism: When this misconfiguration is present, an attacker can access the public key of the certificate. By knowing the public key, the attacker can forge a cryptographically valid authentication cookie, present it to the GlobalProtect interface, and bypass all other authentication checks, establishing a VPN session as if they were a legitimate user.

Affected Systems

Product: Palo Alto Networks PAN-OS
Feature: GlobalProtect portal and gateway
Versions: Various versions of PAN-OS are affected. Customers should refer to the Palo Alto Networks security advisory for a complete list.
Product: Prisma Access

Exploitation Status

The vulnerability is under active, albeit limited, exploitation. Palo Alto Networks confirmed observing exploit attempts against unpatched devices. Security firm Rapid7 reported two distinct waves of exploitation on May 17 and May 21, 2026, likely from a single threat actor. While Rapid7 confirmed successful exploitation via forged cookies, they did not observe any post-exploitation lateral movement.

On May 29, 2026, CISA added CVE-2026-0257 to its KEV catalog, a strong indicator of credible, widespread risk. Federal agencies were directed to patch by June 1, 2026.

Despite the medium CVSS score, an authentication bypass on a perimeter security appliance like a VPN gateway should be treated as a critical risk. It provides a direct entry point into the corporate network for an unauthenticated attacker.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

URL Pattern

Value

/global-protect/login.esp

Description

Monitor web logs for anomalous requests or a high volume of failed attempts followed by a successful connection from the same IP to the GlobalProtect login page.

Type

Log Source

Value

PAN-OS System Logs

Description

Look for logs indicating successful VPN connections from unknown or suspicious IP addresses without corresponding authentication logs (e.g., RADIUS, LDAP).

Type

Network Traffic Pattern

Value

VPN traffic from unexpected sources

Description

Analyze VPN connection metadata for sessions originating from unusual countries or IP ranges not associated with your user base.

Type

Configuration Check

Value

authentication-override

Description

Proactively scan PAN-OS configurations to identify devices where authentication-override is enabled and check if the associated certificate is reused elsewhere.

Detection Methods

Log Analysis: Correlate web server access logs for the GlobalProtect portal with VPN authentication logs. A successful VPN connection without a preceding successful authentication event (or with a cookie-based auth log) from a suspicious source IP is a strong indicator of compromise. This is an application of D3FEND's Network Traffic Analysis (D3-NTA).
Vulnerability Scanning: Use vulnerability scanners with updated plugins for CVE-2026-0257 to identify affected and misconfigured instances on your network perimeter.
Configuration Auditing: Regularly audit PAN-OS configurations to ensure that dedicated, unique certificates are used for sensitive functions like authentication cookie encryption. This aligns with D3FEND's Application Configuration Hardening (D3-ACH).

Remediation Steps

Palo Alto Networks has provided several options for remediation. Organizations should prioritize these actions:

Patch (Primary Solution): Upgrade to a patched version of PAN-OS immediately. This is the most effective solution. This is a direct application of D3FEND's Software Update (D3-SU).
Mitigation (If Patching is Delayed):
- Disable Authentication Override: If the feature is not essential, disable authentication-override to eliminate the attack vector.
- Use a Dedicated Certificate: If the feature is required, generate a new, unique certificate that is used exclusively for the authentication override cookie encryption and for no other purpose. This breaks the prerequisite for the attack.

Given the KEV status, patching should be considered urgent and performed within emergency change control windows.

Palo Alto GlobalProtect Vulnerability (CVE-2026-0257) Under Active Attack, CISA Issues Directive