Actively Exploited PAN-OS Flaw (CVE-2026-0257) Allows VPN Hijack, CISA Adds to KEV

Executive Summary

Palo Alto Networks has issued an urgent warning that a medium-severity authentication bypass vulnerability, CVE-2026-0257, is under active exploitation. The flaw resides in the PAN-OS software that powers the company's firewalls and affects the GlobalProtect portal and gateway features. Successful exploitation allows an attacker to forge authentication cookies and establish an unauthorized VPN session, bypassing all authentication controls. Security firm Rapid7 has confirmed observing exploitation attempts, and in response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog. Organizations are strongly advised to apply patches immediately or implement the recommended mitigations.

Vulnerability Details

CVE-2026-0257 is an authentication bypass vulnerability with a CVSS v3.1 score of 7.8. The flaw arises from a specific misconfiguration where the "authentication override" feature is enabled on the GlobalProtect portal or gateway, and the certificate used to encrypt and decrypt the authentication override cookies is also used for another function (e.g., the portal's main HTTPS service).

In this scenario, an attacker can potentially access the public key of the certificate. By obtaining the public key, the attacker can then forge a valid authentication cookie, present it to the GlobalProtect interface, and gain access as if they were a legitimate, authenticated user. This allows them to establish a VPN connection and gain access to the internal network protected by the firewall.

Affected Systems

The vulnerability affects specific versions of PAN-OS when the following conditions are met:

A GlobalProtect portal or gateway is configured.
The authentication override feature is enabled with an authentication override cookie.
The certificate used for the authentication override feature is also used for another purpose on the firewall.

Organizations using Palo Alto Networks firewalls with GlobalProtect VPN are urged to review their configurations to determine if they are vulnerable.

Exploitation Status

The vulnerability is being actively exploited in the wild. Palo Alto Networks confirmed awareness of limited exploit attempts on May 29, 2026. Security firm Rapid7 reported observing successful exploitation against multiple customers, with two distinct waves of activity on May 17 and May 21, 2026. Due to this confirmed exploitation, CISA added the vulnerability to its KEV catalog on May 29, 2026, requiring U.S. federal civilian agencies to patch by a specified deadline.

Impact Assessment

Successful exploitation of CVE-2026-0257 grants an attacker unauthorized access to a victim's internal network via the VPN. This effectively bypasses a critical layer of perimeter defense. Once inside the network, the attacker can conduct reconnaissance, move laterally to other systems, and attempt to exfiltrate data or deploy further malware, such as ransomware. For organizations that rely on GlobalProtect for remote access, this vulnerability represents a critical breach of their security posture, as it turns a primary defense mechanism into an open door for intruders.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

log_source

Value

Palo Alto Networks Firewall Logs

Description

Look for successful GlobalProtect authentications from unknown or suspicious IP addresses, especially if they correlate with the exploitation timeline (May 17 onwards).

Type

network_traffic_pattern

Value

(Internal Network)

Description

Monitor for anomalous internal network activity (e.g., network scans, access to sensitive shares) originating from the IP pool assigned to GlobalProtect users.

Type

api_endpoint

Value

/global-protect/portal/css/login.css

Description

Attackers may probe for the vulnerability by making requests to various GlobalProtect endpoints. A spike in requests to portal assets from a single IP could be a sign of reconnaissance.

Detection Methods

Vulnerability Scanning: Use vulnerability scanners with updated plugins to identify firewalls running a vulnerable version of PAN-OS with the specific at-risk configuration.
Log Analysis (D3-NTA): Analyze firewall and VPN logs for anomalies. Key indicators include:
- Successful VPN connections from unexpected geographic locations or IP ranges.
- Multiple failed authentication attempts followed by a sudden success from the same IP.
- A user account showing concurrent VPN sessions from geographically dispersed locations.
Configuration Audit: Programmatically or manually audit your Palo Alto Networks firewall configurations. Specifically, check if the certificate assigned under Device > GlobalProtect > Portals/Gateways > Agent > Agent Configs > App is the same as the one used for another service.

Remediation Steps

Palo Alto Networks has released patched versions of PAN-OS and strongly urges all affected customers to upgrade immediately.

Immediate Mitigation (if patching is not possible): If you cannot upgrade immediately, you can mitigate the vulnerability by breaking the precondition for the attack. Choose one of the following:

Disable Authentication Override: In the firewall configuration, disable the authentication override feature for the GlobalProtect portal and gateway. OR
Use a Dedicated Certificate: Configure a new, unique, self-signed certificate that is used only for the authentication override feature and for no other purpose on the firewall. This prevents the attacker from being able to obtain the public key needed to forge the cookie.

Verification: After applying the patch or mitigation, verify that the GlobalProtect portal is functioning as expected for legitimate users and that the configuration no longer uses a shared certificate for the override feature.

For organizations unable to patch immediately, Application Configuration Hardening is the required mitigation. Security teams must audit their GlobalProtect configurations to identify the specific conditions that enable this exploit. The key action is to ensure the certificate used for the authentication override feature is not shared with any other service. Teams should generate a new, dedicated, self-signed certificate and assign it exclusively to the authentication override cookie configuration (Device > GlobalProtect > Portals/Gateways > Agent > Agent Configs > App). This breaks the attacker's ability to discover the public key and forge a cookie. Alternatively, if the authentication override feature is not a business requirement, it should be disabled entirely. This configuration change directly removes the vulnerable state and is an effective compensating control until patching can be completed.

Palo Alto Networks PAN-OS Vulnerability (CVE-2026-0257) Under Active Exploitation